Use the Conformity Knowledge Base AI to help improve your Cloud Posture

IAM Users with Administrative Privileges

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: IAM-036

Ensure there are no Amazon IAM users with administrative permissions (i.e. privileged users) available in your AWS cloud account in order to adhere to IAM security best practices and implement the Principle of Least Privilege (the practice of providing every user the minimal amount of access required to perform its tasks). A privileged IAM user is an IAM identity that has full access to AWS cloud services and resources through the "AdministratorAccess" managed policy. Trend Cloud One™ – Conformity strongly recommends that the IAM administration and permission management within your AWS account should be divided between two well-defined roles: IAM Master and IAM Manager. The IAM Master and IAM Manager role policies must replace the "AdministratorAccess" policy attached to privileged IAM user in order to create and configure other IAM users and roles with limited permissions that follow the same Principle of Least Privilege.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When an Amazon IAM user with administrator-level permissions (authorized to modify or remove any resource, access any data in your cloud account, and use any service or component) is used by an inexperienced person within your organization, his actions can lead to severe security issues, data leaks, data loss, or unexpected charges on your AWS bill.

Note: As an example, this conformity rule demonstrates how to check for the "AdministratorAccess" policy, an AWS-managed policy that allows access to all AWS cloud services and resources. However, if your Amazon IAM users have customer-managed policies, search the attached policies for administrator-level permissions, represented by "Effect": "Allow" and the presence of any of the following actions:"Action": "Delete*", "Action": "Create*" , "Action": "Update*", or "Action": "*".


Audit

To determine if there are IAM users with administrative permissions available within your AWS cloud account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Users.

04 Click on the name of the IAM user that you want to examine.

05 Select the Permissions tab to access the managed policies attached to the selected IAM user.

06 In the Permissions policies section, check the name of each AWS managed access policy attached to the selected IAM user. If there is a managed policy named AdministratorAccess attached to the IAM user, the selected user has AWS administrator-level permissions, therefore the current IAM access configuration is not following IAM security best practices.

07 Repeat steps no. 4 – 6 for each IAM user available within your AWS cloud account.

Using AWS CLI

01 Run list-users command (OSX/Linux/UNIX) using custom query filters to list the names of all IAM users available in your AWS account:

aws iam list-users
  --output table
  --query 'Users[*].UserName'

02 The command output should return a table with the requested IAM user identifiers:

------------------------
|      ListUsers       |
+----------------------+
| cc-aws-administrator |
| cc-aws-dev-manager   |
+----------------------+ 

03 Run list-attached-user-policies command (OSX/Linux/UNIX) using the name of the Amazon IAM user that you want to examine as the identifier parameter and custom filtering to list the name of the each managed policy attached to the selected IAM user:

aws iam list-attached-user-policies
  --user-name cc-aws-administrator
  --output table
  --query 'AttachedPolicies[*].PolicyName'

04 The command output should return a table with the requested IAM policy names:

--------------------------
|ListAttachedUserPolicies|
+------------------------+
|  AdministratorAccess   |
|  AmazonS3FullAccess    |
+------------------------+

If the table returned by the list-attached-user-policies command output contains a policy named AdministratorAccess, as shown in the example above, the selected IAM user has AWS administrator-level permissions, therefore the current IAM access configuration is not following IAM security best practices.

05 Repeat steps no. 3 and 4 for each IAM user available in your AWS cloud account.

Remediation/Resolution

To adhere to IAM security best practices and implement the IAM Master and IAM Manager role policies for your privileged IAM users, perform the following actions:

Using AWS CloudFormation

- For managed policies:

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "IAM Users with Administrative Privileges",
	"Resources": {
		"IAMUser": {
			"Type": "AWS::IAM::User",
			"Properties": {
				"UserName": "cc-project5-admin",
				"Path": "/",
				"ManagedPolicyArns": [ "arn:aws:iam::aws:policy/AdministratorAccess" ]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: IAM Users with Administrative Privileges
	Resources:
	IAMUser:
		Type: AWS::IAM::User
		Properties:
		UserName: cc-project5-admin
		Path: /
		ManagedPolicyArns:
			arn:aws:iam::aws:policy/AdministratorAccess


- For inline policies:

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"IAMUser": {
			"Type": "AWS::IAM::User",
			"Properties": {
				"UserName": "cc-project5-admin"
			}
		},
		"IAMUserPolicy": {
			"Type": "AWS::IAM::Policy",
			"Properties": {
				"PolicyName": "full-access-policy",
				"PolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Action": "*",
							"Resource": "*"
						}
					]
				},
				"Users": [ { "Ref": "IAMUser" } ]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	IAMUser:
		Type: AWS::IAM::User
		Properties:
		UserName: cc-project5-admin
	IAMUserPolicy:
		Type: AWS::IAM::Policy
		Properties:
		PolicyName: full-access-policy
		PolicyDocument:
			Version: '2012-10-17'
			Statement:
				Effect: Allow
				Action: '*'
				Resource: '*'
		Users:
			!Ref 'IAMUser'

Using Terraform (AWS Provider)

- For managed policies:

01 Terraform configuration file (.tf):

	terraform {
		required_providers {
			aws = {
				source  = "hashicorp/aws"
				version = "~> 4.0"
			}
		}
		required_version = ">= 0.14.9"
	}

	provider "aws" {
		profile = "default"
		region  = "us-east-1"
	}

	resource "aws_iam_user" "iam-user" {
		name = "cc-project5-admin"
		path =  "/"
	}

	resource "aws_iam_user_policy_attachment" "iam-user-attachment" {
		user       = aws_iam_user.iam-user.name
		policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
	}


- For inline policies:

01 Terraform configuration file (.tf):

	terraform {
		required_providers {
			aws = {
				source  = "hashicorp/aws"
				version = "~> 4.0"
			}
		}
		required_version = ">= 0.14.9"
	}

	provider "aws" {
		profile = "default"
		region  = "us-east-1"
	}

	resource "aws_iam_user" "iam-user" {
		name = "cc-project5-admin"
	}

	resource "aws_iam_policy" "iam-policy" {
		name   = "full-access-policy"
		policy = <<EOF
		{
			"Version": "2012-10-17",
			"Statement": [
				{
					"Effect": "Allow",
					"Action": "*",
					"Resource": "*"
				}
			]
		}
		EOF
	}

	resource "aws_iam_policy_attachment" "iam-user-attachment" {
		name       = "iam-user-attachment"
		users      = [aws_iam_user.iam-user.name]
		policy_arn = aws_iam_policy.iam-policy.arn
	}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Users.

04 Click on the name of the privileged IAM user that you want to reconfigure.

05 Select the Permissions tab to access the managed policies attached to the selected IAM user.

06 In the Permissions policies section, under Attached directly, find the AWS managed policy named AdministratorAccess and detach it from the selected IAM user by clicking the x (detach) icon.

07 Inside the Detach policy confirmation box, choose Detach to confirm the action.

08 Follow the steps outlined in this conformity rule to implement proper IAM administration and permission management with IAM Master and IAM Manager roles.

09 Once the IAM Master and IAM Manager policies have been created and attached to the required Amazon IAM groups, perform the following operations:

  1. In the navigation panel, under Access management, choose Users.
  2. Click on the name of the privileged IAM user that you want to reconfigure.
  3. Select the Groups tab and choose Add user to groups to assign the privileged IAM user to the right group.
  4. On the Add User to Groups configuration page, select the IAM-Masters group and choose Add to Groups to confirm the association with the required group. The privileged Amazon IAM user will now inherit the IAM Master role permissions.

Using AWS CLI

01 Run detach-user-policy command (OSX/Linux/UNIX) using the name of the privileged IAM user that you want to reconfigure as the identifier parameter, to detach the AdministratorAccess managed policy from the selected IAM user (if successful, the command does not produce an output):

aws iam detach-user-policy
  --user-name cc-aws-administrator
  --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

02 Follow the steps outlined in this conformity rule to implement proper IAM administration and permission management with IAM Master and IAM Manager roles.

03 Once the IAM Master and IAM Manager policies have been created and attached to the necessary Amazon IAM groups, run add-user-to-group command (OSX/Linux/UNIX) to add the privileged IAM user to the IAM-Masters group (the command does not produce an output):

aws iam add-user-to-group
  --user-name cc-aws-administrator
  --group-name "IAM-Masters"

If the command request is successful, the privileged Amazon IAM user will inherit the IAM Master role permissions.

References

Publication date Jun 21, 2017