AWS IAM Groups with Admin Privileges

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: IAM-066

Ensure there are no Amazon IAM groups with administrator (privileged) permissions available in your AWS account in order to adhere to cloud security best practices and implement the Principle of Least Privilege (the practice of providing every user, process, or system the minimal amount of access required to perform its tasks). A privileged IAM group allows its IAM users admin access to all AWS services and resources. To follow Identity and Access Management best practices, the IAM administration and permission management within your AWS account should be divided between two well-defined roles: IAM Master and IAM Manager. The IAM Master/IAM Manager role policy should replace the overly permissive policy attached to the privileged IAM group in order to allow creating and configuring other IAM users and roles with limited permissions that follow the same principle of least privilege.

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

When a privileged IAM user within an Amazon IAM group configured with administrator-level permissions (i.e. has authorization to modify or remove any resource, access any available data in the cloud environment, and use any AWS service or component) is used by an inexperienced person within your organization, his actions can lead to severe security issues, data leaks, data loss, or unexpected charges on your AWS bill.


Audit

To determine if there are any Amazon IAM groups with administrator permissions available in your AWS account, perform the following operations:

Note: As example, this conformity rule demonstrates how to check for the "AdministratorAccess" policy, an AWS managed policy that allows all actions for all AWS cloud services and resources. If your Amazon IAM groups have customer managed policies, search the attached policies for administrator-level permissions, represented by "Effect": "Allow" and the presence of any one or more of the following actions: "Action": "Delete*", "Action": "Create*", "Action":"Update*", "Action":"*".

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Groups.

04 Click on the name (link) of the IAM group that you want to examine.

05 On the Summary page, select the Permissions tab from the bottom panel to access the identity–based policies attached to the selected group.

06 In the Managed Policies section, check the name of each managed access policy attached to the IAM group, listed in the Policy Name column. If a managed policy with the name AdministratorAccess is attached to the group, the selected Amazon IAM group has administrator-level permissions, therefore the admin access policy implemented for your AWS account is not following IAM security best practices.

07 Repeat steps no. 4 – 6 to verify the access permissions for other Amazon IAM groups available in your AWS cloud account.

Using AWS CLI

01 Run list-groups command (OSX/Linux/UNIX) using custom query filters to list the names of all Amazon IAM groups available within your AWS account:

aws iam list-groups
	--output table
	--query 'Groups[*].GroupName'

02 The command output should return a table with the requested IAM group identifiers:

-----------------------------
|        ListGroups         |
+---------------------------+
|  cc-project5-admin-group  |
|  cc-ec2-management-group  |
|  cc-rds-db-admin-group    |
+---------------------------+

03 Run list-attached-group-policies command (OSX/Linux/UNIX) using the name of the Amazon IAM group that you want to examine as identifier parameter and custom query filters to list the names of the managed policies attached to the selected IAM group:

aws iam list-attached-group-policies
	--group-name cc-project5-admin-group
	--query 'AttachedPolicies[*].PolicyName'

04 The command output should return the name of each managed access policy attached to the selected IAM group:

[
    "AdministratorAccess"
]

If the list-attached-group-policies command output returns a managed policy with the name "AdministratorAccess", as shown in the example above, the selected Amazon IAM group has administrator-level permissions, therefore the admin access policy implemented for your AWS account is not following IAM security best practices.

05 Repeat step no. 3 and 4 to check the access permissions for other Amazon IAM groups created within your AWS cloud account.

Remediation / Resolution

To adhere to AWS Identity and Access Management (IAM) best practices and implement the IAM Master/IAM Manager role policy for your privileged Amazon IAM groups, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Groups.

04 Click on the name (link) of the IAM group that you want to reconfigure.

05 On the Summary page, select the Permissions tab from the bottom panel to access the IAM policies attached to the selected group.

06 In the Managed Policies section, choose Detach Policy next to the AdministratorAccess managed policy to detach it from the selected Amazon IAM group.

07 Inside the Detach Policy confirmation box, choose Detach.

08 Follow the steps outlined in this conformity rule to create the IAM Master and IAM Manager roles necessary for efficient and secure IAM administration and permission management within your AWS account.

09 Once the IAM Master and IAM Manager roles have been created, each of these roles need to be assumed by a different Amazon IAM group in order to work together in a two-person rule manner to provide Amazon IAM entities access to the right permissions, and therefore reduce the risk of unauthorized access to AWS cloud services and resources. The selected Amazon IAM group can assume one of the following IAM administration and permission management roles:

  1. To assume the IAM Master role, perform the following actions:
    • In the Inline Policies section, choose Create Group Policy to add an inline policy to the selected IAM group.
    • On the Set Permissions page, select Custom Policy, and paste the following policy (JSON format) in the Policy Document box. Replace "arn:aws:iam::<aws-account-id>:instance-profile/<iam-master-role-name>" with the ARN of your IAM Master role:
      {
          "Version": "2012-10-17",
          "Statement": {
              "Effect": "Allow",
              "Action": "sts:AssumeRole",
              "Resource": "arn:aws:iam::<aws-account-id>:instance-profile/<iam-master-role-name>"
          }
      }
      
    • In the Policy Name box provide a unique name for the inline policy.
    • Choose Apply Policy to attach the new inline policy to the selected IAM group. Each user added to your Amazon IAM group will also assume the IAM Master role.
  2. To assume the IAM Manager role, perform the following:
    • In the Inline Policies section, choose Create Group Policy to add a new inline policy to the selected IAM group.
    • On the Set Permissions page, select Custom Policy, and paste the following policy in the Policy Document box. Replace "arn:aws:iam::<aws-account-id>:instance-profile/<iam-manager-role-name>" with the ARN of your IAM Manager role:
      {
          "Version": "2012-10-17",
          "Statement": {
              "Effect": "Allow",
              "Action": "sts:AssumeRole",
              "Resource": "arn:aws:iam::<aws-account-id>:instance-profile/<iam-manager-role-name>"
          }
      }
      
    • In the Policy Name box provide a name for the inline policy.
    • Choose Apply Policy to attach the new inline policy to the selected IAM group. Each user added to your Amazon IAM group will also assume the IAM Manager role.

Using AWS CLI

01 Run detach-group-policy command (OSX/Linux/UNIX) using the name of the Amazon IAM group that you want to reconfigure as identifier parameter, to detach the AdministratorAccess managed policy, identified by the ARN arn:aws:iam::aws:policy/AdministratorAccess, that provides administrator-level permissions to the IAM users within the selected group (the command does not produce an output):

aws iam detach-group-policy
	--group-name cc-project5-admin-group
	--policy-arn arn:aws:iam::aws:policy/AdministratorAccess

02 Follow the steps outlined in this conformity rule to create the IAM Master and IAM Manager roles necessary for efficient and secure IAM administration and permission management within your AWS cloud account.

03 Once the IAM Master and IAM Manager roles have been created, each of these roles need to be assumed by a different Amazon IAM group in order to work together in a two-person rule manner to provide Amazon IAM entities access to the right permissions, and therefore reduce the risk of unauthorized access to AWS cloud services and resources. The selected Amazon IAM group can assume one of the following IAM administration and permission management roles:

  1. To assume the IAM Master role, perform the following commands:
    • Add the following policy document to a JSON file named iam-master-group-policy.json. Replace "arn:aws:iam::<aws-account-id>:instance-profile/<iam-master-role-name>" with the Amazon Resource Name (ARN) of your IAM Master role:
      {
          "Version": "2012-10-17",
          "Statement": {
              "Effect": "Allow",
              "Action": "sts:AssumeRole",
              "Resource": "arn:aws:iam::<aws-account-id>:instance-profile/<iam-master-role-name>"
          }
      }
      
    • Run put-group-policy command (OSX/Linux/UNIX) to assign the inline policy defined at the previous step to your Amazon IAM group (the command does not produce an output):
      aws iam put-group-policy
      	--group-name cc-project5-admin-group
      	--policy-name cc-iam-master-policy
      	--policy-document file://iam-master-group-policy.json
      
    • Each user added to your IAM group will also assume the IAM Master role.
  2. To assume the IAM Manager role, perform the following:
    • Paste the following policy document into a JSON file named iam-manager-group-policy.json. Replace "arn:aws:iam::<aws-account-id>:instance-profile/<iam-manager-role-name>" with the Amazon Resource Name (ARN) of your IAM Manager role:
      {
          "Version": "2012-10-17",
          "Statement": {
              "Effect": "Allow",
              "Action": "sts:AssumeRole",
              "Resource": "arn:aws:iam::<aws-account-id>:instance-profile/<iam-manager-role-name>"
          }
      }
      
    • Run put-group-policy command (OSX/Linux/UNIX) to assign the inline policy created at the previous step to your Amazon IAM group (the command does not produce an output):
      aws iam put-group-policy
      	--group-name cc-project5-admin-group
      	--policy-name cc-iam-manager-policy
      	--policy-document file://iam-manager-group-policy.json
      
    • Each user added to your IAM group will also assume the IAM Master role.

References

Publication date Nov 24, 2020

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

AWS IAM Groups with Admin Privileges

Risk level: High