Use the Conformity Knowledge Base AI to help improve your Cloud Posture

IAM Groups with Administrative Privileges

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: IAM-066

Ensure there are no Amazon IAM groups with administrator (privileged) permissions available in your AWS cloud account in order to adhere to IAM security best practices and implement the Principle of Least Privilege (the practice of providing every user, process, or system the minimal amount of access required to perform its tasks). A privileged IAM group allows its users admin access to all AWS services and resources. A privileged IAM group is an IAM identity that allows its users full access to AWS cloud services and resources through the "AdministratorAccess" managed policy.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When a privileged IAM user within an IAM group configured with administrator-level permissions (i.e. has authorization to modify or remove any resource, access any available data in the cloud environment, and use any AWS service or component) is used by an inexperienced person, their actions can lead to severe security issues such as data leaks, data loss, or unexpected charges on your AWS bill.

As an example, this conformity rule demonstrates how to check for the "AdministratorAccess" policy, an AWS-managed policy that allows access to all AWS cloud services and resources. However, if your Amazon IAM groups have customer-managed policies, search the attached policies for administrator-level permissions, represented by "Effect": "Allow" and the presence of any of the following actions: "Action": "Delete*", "Action": "Create*","Action": "Update*", or "Action": "*".


Audit

To determine if there are IAM groups with administrative permissions available within your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose User groups.

04 Click on the name of the Amazon IAM group that you want to examine.

05 Select the Permissions tab to access the identity–based policies attached to the selected group.

06 In the Permissions policies section, check the name of each AWS-managed policy attached to the IAM group, listed in the Policy Name column. If there is a managed policy named AdministratorAccess attached to the group, the selected Amazon IAM group has AWS administrator-level permissions, therefore the current IAM access configuration is not following IAM security best practices.

07 Repeat steps no. 4 – 6 for each IAM group available within your AWS cloud account.

Using AWS CLI

01 Run list-groups command (OSX/Linux/UNIX) using custom query filters to list the names of all Amazon IAM groups available in your AWS account:

aws iam list-groups
  --output table
  --query 'Groups[*].GroupName'

02 The command output should return a table with the requested IAM group identifiers:

-----------------------------
|        ListGroups         |
+---------------------------+
|  cc-project5-admin-group  |
|  cc-ec2-management-group  |
+---------------------------+

03 Run list-attached-group-policies command (OSX/Linux/UNIX) using the name of the Amazon IAM group that you want to examine as identifier parameter and custom query filters to list the name of each managed policy attached to the selected group:

aws iam list-attached-group-policies
  --group-name cc-project5-admin-group
  --query 'AttachedPolicies[*].PolicyName'

04 The command output should return the name of each managed access policy attached to the selected IAM group:

[
	"AdministratorAccess",
	"AmazonSSMManagedInstanceCore"
]

If the array returned by the list-attached-group-policies command output contains a policy named "AdministratorAccess", as shown in the output example above, the selected Amazon IAM group has AWS administrator-level permissions, therefore the current IAM access configuration is not following IAM security best practices.

05 Repeat steps no. 3 and 4 for each IAM group available in your AWS cloud account.

Remediation / Resolution

To adhere to Amazon IAM security best practices and implement the Principle of Least Privilege (POLP) for your privileged IAM groups, perform the following operations:

Using AWS CloudFormation

- For managed policies:

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "IAM Groups with Administrative Privileges",
	"Resources": {
		"IAMGroup": {
			"Type": "AWS::IAM::Group",
			"Properties": {
				"GroupName": "cc-project5-user-group",
				"Path": "/",
				"ManagedPolicyArns": [ "arn:aws:iam::aws:policy/AdministratorAccess" ]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: IAM Groups with Administrative Privileges
	Resources:
	IAMGroup:
		Type: AWS::IAM::Group
		Properties:
		GroupName: cc-project5-user-group
		Path: /
		ManagedPolicyArns:
			- arn:aws:iam::aws:policy/AdministratorAccess

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

	terraform {
		required_providers {
			aws = {
				source  = "hashicorp/aws"
				version = "~> 4.0"
			}
		}
		required_version = ">= 0.14.9"
	}

	provider "aws" {
		profile = "default"
		region  = "us-east-1"
	}

	resource "aws_iam_group" "iam-group" {
		name = "cc-project5-user-group"
		path = "/"
	}

	resource "aws_iam_group_policy_attachment" "group-policy-attach" {
		group      = aws_iam_group.iam-group.name
		policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
	}

Using AWS CloudFormation

- For inline policies:

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "IAM Groups with Administrative Privileges",
	"Resources": {
		"IAMGroup": {
			"Type": "AWS::IAM::Group",
			"Properties": {
				"GroupName": "cc-project5-user-group"
			}
		},
		"IAMGroupInlinePolicy": {
			"Type": "AWS::IAM::Policy",
			"Properties": {
				"PolicyName": "cc-allow-admin-access",
				"PolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Action": "*",
							"Resource": "*"
						}
					]
				},
				"Groups": [ { "Ref": "IAMGroup" } ]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: IAM Groups with Administrative Privileges
	Resources:
	IAMGroup:
		Type: AWS::IAM::Group
		Properties:
		GroupName: cc-project5-user-group
	IAMGroupInlinePolicy:
		Type: AWS::IAM::Policy
		Properties:
		PolicyName: cc-allow-admin-access
		PolicyDocument:
			Version: '2012-10-17'
			Statement:
			- Effect: Allow
				Action: '*'
				Resource: '*'
		Groups:
			- !Ref 'IAMGroup'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

	terraform {
		required_providers {
			aws = {
				source  = "hashicorp/aws"
				version = "~> 4.0"
			}
		}
		required_version = ">= 0.14.9"
	}

	provider "aws" {
		profile = "default"
		region  = "us-east-1"
	}

	resource "aws_iam_group" "iam-group" {
		name = "cc-project5-user-group"
	}

	resource "aws_iam_policy" "iam-policy" {
		name        = "cc-allow-admin-access"
		policy = <<EOF
		{
			"Version": "2012-10-17",
			"Statement": [
				{
					"Effect": "Allow",
					"Action": "*",
					"Resource": "*"
				}
			]
		}
		EOF
	}

	resource "aws_iam_policy_attachment" "iam-group-attachment" {
		name       = "iam-group-attachment"
		groups     = [aws_iam_group.iam-group.name]
		policy_arn = aws_iam_policy.iam-policy.arn
	}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose User groups.

04 Click on the name of the Amazon IAM group that you want to reconfigure.

05 Select the Permissions tab to access the identity–based policies attached to the selected group.

06 Select the AdministratorAccess policy from the Permissions policies section and choose Remove to detach the non-compliant managed policy from the selected IAM group.

07 In the Remove AdministratorAccess? confirmation box, choose Remove.

08 To follow the Principle of Least Privilege (POLP), configure the minimal amount of access required to perform the intended tasks by attaching the appropriate access policies to the selected IAM group. In the Permissions policies section, perform the following actions:

  1. Choose Add permissions and select Attach policies to attach managed IAM policies to the selected group. Select one or more IAM policies from the Other permission policies list based on your IAM group access requirements.
  2. Choose Attach policies to add the selected IAM policies.

09 Repeat steps no. 4 – 8 for each Amazon IAM group that you want to reconfigure, available in your AWS cloud account.

Using AWS CLI

01 Run detach-group-policy command (OSX/Linux/UNIX) to detach the AdministratorAccess managed policy, identified by the ARN arn:aws:iam::aws:policy/AdministratorAccess, from the selected Amazon IAM group. The AdministratorAccess policy provides administrator-level permissions to the IAM users within the selected group (the command does not produce an output):

aws iam detach-group-policy
  --group-name cc-project5-admin-group
  --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

02 To implement the Principle of Least Privilege (POLP), add the appropriate access policies to the selected IAM group. Run attach-group-policy command (OSX/Linux/UNIX) to attach the necessary policy to the selected IAM group. Replace [policy-arn] with the Amazon Resource Name (ARN) of the IAM managed policy that you want to attach (the command does not produce an output):

aws iam attach-group-policy
  --group-name cc-project5-admin-group
  --policy-arn [policy-arn]

03 Repeat steps no. 1 and 2 for each Amazon IAM group that you want to reconfigure, available within your AWS cloud account.

References

Publication date Nov 24, 2020