Use the Conformity Knowledge Base AI to help improve your Cloud Posture

IAM Policies With Full Administrative Privileges

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: IAM-045

Ensure there are no Amazon IAM policies (inline and customer-managed policies) that allow full administrative privileges available in your AWS cloud account, in order to follow the Principle of Least Privilege and provide the IAM users, groups, and roles that use these policies the minimal amount of access required to perform their tasks. An IAM policy that provides full administrative permissions is a policy that contains the following combination of elements: "Effect": "Allow", "Action": "*", "Resource": "*"

This rule can help you with the following compliance standards:

  • CISAWSF
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Providing full administrative privileges instead of restricting to the minimum set of permissions can expose your AWS cloud resources to potentially unwanted actions. Trend Cloud One™ – Conformity strongly recommends creating and using IAM policies that implement the Principle of Least Privilege (i.e. providing the minimal set of actions required to perform successfully the desired tasks) instead of using overly permissive policies.


Audit

Case A: To determine if there are any customer-managed IAM policies that allow full administrative privileges available in your AWS cloud account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Policies.

04 Select Customer managed from the Filter policies dropdown menu to list only the customer-managed policies available in your AWS account.

05 Click on the name (link) of the IAM policy that you want to examine.

06 Select the Permissions tab and choose {} JSON to access the selected policy document in JSON format.

07 Inside the policy document box, search for the policy statement with the following combination of elements: "Effect": "Allow", "Action": "*", "Resource": "*". If the verified customer-managed policy uses the specified combination of elements, the selected Amazon IAM policy allows full administrative privileges, therefore the policy doesn't follow the IAM security best practices and should be deactivated (detached from any IAM user, group, or role).

08 Repeat steps no. 5 – 7 for each customer-managed IAM policy that you want to examine, available within your AWS account.

Using AWS CLI

01 Run list-policies command (OSX/Linux/UNIX) to list the Amazon Resource Name (ARN) of each customer-managed IAM policy available in your AWS account:

aws iam list-policies
--scope Local
--query 'Policies[*].Arn'

02 The command output should return the requested policy ARNs:

[
    "arn:aws:iam::123456789012:policy/cc-full-access-policy",
    "arn:aws:iam::123456789012:policy/cc-deploy-app-policy",
]

03 Run get-policy-version command (OSX/Linux/UNIX) using the ARN of the IAM policy that you want to examine as the identifier parameter, to describe the policy document in JSON format:

aws iam get-policy-version
  --policy-arn arn:aws:iam::123456789012:policy/cc-full-access-policy
  --version-id v1
  --query 'PolicyVersion.Document'

04 The command output should return the requested IAM policy document:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "1234567890",
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

Search for the following combination of elements: "Effect": "Allow", "Action": "*", "Resource": "*" within the policy document returned by the get-policy-version command output. If the policy uses the specified combination of elements, as shown in the example above, the selected Amazon IAM policy allows full administrative privileges, therefore the verified customer-managed policy is not compliant.

05 Repeat step no. 3 and 4 for each customer-managed IAM policy that you want to examine, available in your AWS account.

Case B: To determine if there are any inline IAM policies that allow full administrative privileges available in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Users, Roles, or User groups.

04 Click on the name (link) of the IAM identity that you want to examine.

05 Select the Permissions tab and choose the inline policy that you want to check. An inline policy type is set to Customer inline or Inline policy.

06 In the Permissions policies section, click on the Expand button (right arrow icon) available next to each inline policy, and choose {} JSON to show the policy document in JSON format.

07 Within the {} JSON policy document box, search for policy statements with the following combination of elements: "Effect": "Allow", "Action": "*", "Resource": "*". If the verified policy uses the specified combination of elements, the selected Amazon IAM policy allows full administrative privileges, therefore the policy doesn't follow the IAM security best practices and should be detached from IAM identities.

08 Repeat steps no. 4 – 7 for each inline IAM policy that you want to examine, available within your AWS account.

Using AWS CLI

01 Based on the type of the IAM identity (user, group, or role) that you want to examine, perform one of the following sets of commands:

  1. For Amazon IAM users:
    • Run get-user-policy command (OSX/Linux/UNIX) to describe the policy document defined for the inline policy associated with the selected IAM user:
      aws iam get-user-policy
        --user-name cc-project5-resource-manager
        --policy-name cc-full-admin-policy
        --query 'PolicyDocument'
      
    • The command output should return the requested policy document:
      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Sid": "fulladministrative",
                  "Effect": "Allow",
                  "Action": "*",
                  "Resource": "*"
              }
          ]
      }
      
  2. For Amazon IAM roles:
    • Run get-role-policy command (OSX/Linux/UNIX) to describe the inline policy document embedded in the selected IAM role:
      aws iam get-role-policy
        --role-name cc-project5-main-role
        --policy-name cc-full-admin-policy
        --query 'PolicyDocument'
      
    • The command output should return the requested IAM policy document:
      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Sid": "fulladministrative",
                  "Effect": "Allow",
                  "Action": "*",
                  "Resource": "*"
              }
          ]
      }
      
  3. For Amazon IAM groups:
    • Run get-group-policy command (OSX/Linux/UNIX) to describe the policy document defined for the inline policy associated with the selected IAM group:
      aws iam get-group-policy
        --group-name cc-project5-cloud-managers
        --policy-name cc-full-admin-policy
        --query 'PolicyDocument'
      
    • The command output should return the requested IAM policy document:
      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Sid": "fulladministrative",
                  "Effect": "Allow",
                  "Action": "*",
                  "Resource": "*"
              }
          ]
      }
      

Search for the following combination of elements: "Effect": "Allow", "Action": "*", "Resource": "*" within the policy document returned by the get-user-policy/get-role-policy/get-group-policy command output. If the verified policy uses the specified combination of elements, the selected Amazon IAM policy allows full administrative privileges, therefore the verified inline policy is not compliant.

02 Repeat step no. 1 for each inline IAM policy that you want to examine, available in your AWS account.

Remediation / Resolution

Case A: To detach the managed IAM policies that provide full administrative privileges from your IAM users, groups, and roles, perform the following actions:

Using Terraform (AWS Provider)

01 Terraform command:

terraform destroy -target aws_iam_policy.cc-full-access-policy

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Users, Roles, or User groups.

04 Click on the name of the Amazon IAM identity that you want to reconfigure.

05 Select the Permissions tab to access the managed policies attached to the selected IAM identity.

06 Find the customer-managed policy that you want to decommission, and perform one of the following actions based on the IAM identity type:

  1. For IAM users and roles:
    • Click on the x (detach) icon to detach the non-compliant policy from the selected IAM identity.
    • Inside the Detach policy confirmation box, choose Detach to confirm the action.
  2. For IAM groups:
    • Select the non-compliant policy that you want to detach and choose Remove.
    • Inside the Remove <policy-name>? confirmation box, choose Delete to confirm the action.

07 Repeat step no. 6 to detach other managed IAM policies that allow full administrative privileges from the selected IAM identity.

08 Repeat steps no. 4 – 7 to deactivate overly permissive policies for other IAM entities available within your AWS account.

Using AWS CLI

01 Based on the type of the IAM identity that you want to reconfigure, perform one of the following commands:

  1. For Amazon IAM users:
    • Run detach-user-policy command (OSX/Linux/UNIX) to detach the selected managed IAM policy from the specified IAM user (the command does not produce an output):
      aws iam detach-user-policy
        --user-name cc-project5-resource-manager
        --policy-arn arn:aws:iam::123456789012:policy/cc-full-access-policy
      
  2. For Amazon IAM roles:
    • Run detach-role-policy command (OSX/Linux/UNIX) to detach the selected managed IAM policy from the specified IAM role (if successful, the command does not return an output):
      aws iam detach-role-policy
        --role-name cc-project5-main-role
        --policy-arn arn:aws:iam::123456789012:policy/cc-full-access-policy
      
  3. For Amazon IAM groups:
    • Run detach-group-policy command (OSX/Linux/UNIX) to detach the selected managed IAM policy from the specified IAM group (the command does not produce an output):
      aws iam detach-group-policy
        --group-name cc-project5-cloud-managers
        --policy-arn arn:aws:iam::123456789012:policy/cc-full-access-policy
      

02 Repeat step no. 1 to deactivate overly permissive policies for other IAM entities available in your AWS cloud account.

Case B: To remove inline IAM policies that provide full administrative privileges from your IAM users, groups, or roles, perform the following actions:

Using Terraform (AWS Provider)

01 Terraform command:

terraform destroy -target aws_iam_policy.cc-full-admin-policy

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Users, Roles, or User groups.

04 Click on the name of the Amazon IAM identity that you want to reconfigure.

05 Select the Permissions tab to access the inline policies associated with the selected IAM identity.

06 Find the inline policy that you want to remove, and perform one of the following actions based on the IAM identity type:

  1. For IAM users and roles:
    • Click on the x (detach) icon to remove the non-compliant policy from the selected IAM identity.
    • Inside the Remove policy confirmation box, choose Remove to confirm the action.
  2. For IAM groups:
    • Select the non-compliant policy that you want to delete and choose Remove.
    • Inside the Remove <policy-name>? confirmation box, enter the policy name in the text input field, then choose Delete to confirm the action.

07 Repeat step no. 6 to remove other inline IAM policies that allow full administrative privileges from the selected IAM identity.

08 Repeat steps no. 4 – 7 to remove overly permissive policies for other IAM entities available within your AWS account.

Using AWS CLI

01 Based on the type of the Amazon IAM identity that you want to reconfigure, perform one of the following commands:

  1. For Amazon IAM users:
    • Run delete-user-policy command (OSX/Linux/UNIX) to remove the selected inline policy from the specified IAM user (the command does not produce an output):
      aws iam delete-user-policy
        --user-name cc-project5-resource-manager
        --policy-name cc-full-admin-policy
      
  2. For Amazon IAM roles:
    • Run delete-role-policy command (OSX/Linux/UNIX) to delete the selected inline policy from the specified IAM role (if successful, the command does not return an output):
      aws iam delete-role-policy
        --role-name cc-project5-main-role
        --policy-name cc-full-admin-policy
      
  3. For Amazon IAM groups:
    • Run delete-group-policy command (OSX/Linux/UNIX) to remove the selected inline policy from the specified IAM group (the command does not produce an output):
      aws iam delete-group-policy
        --group-name cc-project5-cloud-managers
        --policy-name cc-full-admin-policy
      

02 Repeat step no. 1 to remove overly permissive policies for other IAM entities available in your AWS cloud account.

References

Publication date Dec 6, 2017