Ensure there are no Amazon IAM groups with administrator (privileged) permissions available in your AWS account in order to adhere to cloud security best practices and implement the Principle of Least Privilege (the practice of providing every user, process, or system the minimal amount of access required to perform its tasks). A privileged IAM group allows its IAM users admin access to all AWS services and resources. To follow Identity and Access Management best practices, the IAM administration and permission management within your AWS account should be divided between two well-defined roles: IAM Master and IAM Manager. The IAM Master/IAM Manager role policy should replace the overly permissive policy attached to the privileged IAM group in order to allow creating and configuring other IAM users and roles with limited permissions that follow the same principle of least privilege.
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When a privileged IAM user within an Amazon IAM group configured with administrator-level permissions (i.e. has authorization to modify or remove any resource, access any available data in the cloud environment, and use any AWS service or component) is used by an inexperienced person within your organization, his actions can lead to severe security issues, data leaks, data loss, or unexpected charges on your AWS bill.
To determine if there are any Amazon IAM groups with administrator permissions available in your AWS account, perform the following operations:Note: As example, this conformity rule demonstrates how to check for the "AdministratorAccess" policy, an AWS managed policy that allows all actions for all AWS cloud services and resources. If your Amazon IAM groups have customer managed policies, search the attached policies for administrator-level permissions, represented by "Effect": "Allow" and the presence of any one or more of the following actions: "Action": "Delete*", "Action": "Create*", "Action":"Update*", "Action":"*".
Remediation / Resolution
To adhere to AWS Identity and Access Management (IAM) best practices and implement the IAM Master/IAM Manager role policy for your privileged Amazon IAM groups, perform the following operations:
- AWS Documentation
- Security best practices in IAM
- AWS security audit guidelines
- AWS managed policies for job functions
- IAM groups
- Managing IAM groups
- Attaching a policy to an IAM group
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
AWS IAM Groups with Admin Privileges
Risk level: High