Ensure there are no Amazon IAM users with administrative permissions (i.e. privileged users) available in your AWS cloud account in order to adhere to IAM security best practices and implement the Principle of Least Privilege (the practice of providing every user the minimal amount of access required to perform its tasks). A privileged IAM user is an IAM identity that has full access to AWS cloud services and resources through the "AdministratorAccess" managed policy. Trend Cloud One™ – Conformity strongly recommends that the IAM administration and permission management within your AWS account should be divided between two well-defined roles: IAM Master and IAM Manager. The IAM Master and IAM Manager role policies must replace the "AdministratorAccess" policy attached to privileged IAM user in order to create and configure other IAM users and roles with limited permissions that follow the same Principle of Least Privilege.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When an Amazon IAM user with administrator-level permissions (authorized to modify or remove any resource, access any data in your cloud account, and use any service or component) is used by an inexperienced person within your organization, his actions can lead to severe security issues, data leaks, data loss, or unexpected charges on your AWS bill.
Note: As an example, this conformity rule demonstrates how to check for the "AdministratorAccess" policy, an AWS-managed policy that allows access to all AWS cloud services and resources. However, if your Amazon IAM users have customer-managed policies, search the attached policies for administrator-level permissions, represented by "Effect": "Allow" and the presence of any of the following actions:"Action": "Delete*", "Action": "Create*" , "Action": "Update*", or "Action": "*".
Audit
To determine if there are IAM users with administrative permissions available within your AWS cloud account, perform the following actions:
Remediation/Resolution
To adhere to IAM security best practices and implement the IAM Master and IAM Manager role policies for your privileged IAM users, perform the following actions:
References
- AWS Documentation
- Security Best Practices in IAM
- AWS Security Audit Guidelines
- IAM Users
- Managing IAM Users
- Changing Permissions for an IAM User
- AWS Command Line Interface (CLI) Documentation
- iam
- list-users
- list-attached-user-policies
- detach-user-policy
- add-user-to-group