Ensure there are no Amazon IAM policies (inline and customer-managed policies) that allow full administrative privileges available in your AWS cloud account, in order to follow the Principle of Least Privilege and provide the IAM users, groups, and roles that use these policies the minimal amount of access required to perform their tasks. An IAM policy that provides full administrative permissions is a policy that contains the following combination of elements: "Effect": "Allow", "Action": "*", "Resource": "*"
This rule can help you with the following compliance standards:
- CISAWSF
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Providing full administrative privileges instead of restricting to the minimum set of permissions can expose your AWS cloud resources to potentially unwanted actions. Trend Cloud One™ – Conformity strongly recommends creating and using IAM policies that implement the Principle of Least Privilege (i.e. providing the minimal set of actions required to perform successfully the desired tasks) instead of using overly permissive policies.
Audit
Case A: To determine if there are any customer-managed IAM policies that allow full administrative privileges available in your AWS cloud account, perform the following actions:
Case B: To determine if there are any inline IAM policies that allow full administrative privileges available in your AWS account, perform the following actions:
Remediation / Resolution
Case A: To detach the managed IAM policies that provide full administrative privileges from your IAM users, groups, and roles, perform the following actions:
Case B: To remove inline IAM policies that provide full administrative privileges from your IAM users, groups, or roles, perform the following actions:
References
- AWS Documentation
- AWS IAM FAQs
- Security Best Practices in IAM
- Managed Policies and Inline Policies
- IAM JSON Policy Reference
- AWS Command Line Interface (CLI) Documentation
- iam
- list-policies
- get-policy-version
- get-user-policy
- get-role-policy
- get-group-policy
- detach-user-policy
- detach-role-policy
- detach-group-policy
- delete-user-policy
- delete-role-policy
- delete-group-policy
- Terraform Documentation
- AWS Provider