Unapproved IAM Policy in Use

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: IAM-068

To protect your AWS cloud resources against unauthorized access and meet strict compliance requirements within your organization, ensure that unapproved Amazon IAM managed policies are not attached to IAM roles, users, or groups. Prior to running this rule by the Conformity engine, the list with the unapproved IAM policies must be defined in the conformity rule settings, on the Trend Micro Cloud One™ – Conformity account console.

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Setting boundaries for the use of identity-based policies within your organization can help you address internal security compliance, protect sensitive and confidential data, and even prevent unexpected charges on your AWS bill. You can explicitly specify the IAM managed policies that are not allowed to be attached to IAM roles, users, or groups within your AWS cloud account. To adhere to Amazon Identity and Access Management (IAM) security best practices, you can either detach the unapproved IAM policies or approve them after a complete compliance review.


Audit

To determine if there are any unapproved Amazon IAM managed policies used within your AWS account, perform the following operations:

Using AWS Console

01 Sign in to your Trend Micro Cloud One™ – Conformity account, access Unapproved IAM Policy in Use conformity rule settings and copy the name of the unapproved IAM managed policy that you want to examine.

02 Sign in to AWS Management Console.

03 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

04 In the left navigation panel, select Policies to access the list of the IAM managed policies available in your AWS account.

05 Paste the name of the unapproved policy, copied at step no. 1, in the Search box and press Enter.

06 Click on the name (link) of the IAM managed policy returned as search result.

07 Select the Policy usage tab and check the Permissions section for the list of IAM identities (roles, users, and groups) associated with the selected policy. If the selected Amazon IAM managed policy is attached to one or more IAM identities, the unapproved policy is used within your AWS cloud account, therefore you must take action and decommission (detach) the selected IAM policy.

08 Repeat steps no. 1 – 7 to determine the usage status for other unapproved Amazon IAM managed policies.

Using AWS CLI

01 Sign in to your Trend Micro Cloud One™ – Conformity account, access Unapproved IAM Policy in Use conformity rule settings and copy the Amazon Resource Name (ARN) of the unapproved IAM managed policy that you want to examine.

02 Run get-policy command (OSX/Linux/UNIX) using the ARN of the unapproved IAM policy that you want to examine as identifier parameter and custom query filters to describe the number of IAM entities (users, groups, and roles) that the selected policy is attached to:

aws iam get-policy
	--policy-arn arn:aws:iam::aws:policy/AmazonRDSFullAccess
	--query 'Policy.{"AttachmentCount": AttachmentCount}'

03 The command output should return the attachment count for the specified identity-based policy:

{
    "AttachmentCount": 3
}

If the "AttachmentCount" configuration attribute value is different than 0 (zero), as shown in the example above, the selected Amazon IAM managed policy is attached to one or more IAM identities, therefore the unapproved IAM policy is used within your AWS cloud account.

04 Repeat steps no. 1 – 3 to determine the usage status for other unapproved Amazon IAM managed policies.

Remediation / Resolution

To ensure that all unapproved Amazon IAM managed policies are decommissioned within your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Policies to access the list of the IAM managed policies available in your AWS account.

04 Paste the name of the unapproved policy that you want to decommission in the Search box and press Enter.

05 Click on the name (link) of the unapproved IAM policy returned as search result.

06 Choose the Policy usage tab and perform the following actions:

  1. Select all IAM identities (roles, users, and groups) associated with the IAM managed policy and choose Detach.
  2. Inside the Detach Policy confirmation box, choose Detach.

07 Repeat steps no. 4 – 6 to deactivate (detach) other unapproved Amazon IAM managed policies used within your AWS account.

Using AWS CLI

01 Run list-entities-for-policy command (OSX/Linux/UNIX) using the ARN of the unapproved IAM policy that you want to decommission as identifier parameter and custom query filters to list the names of the IAM identities (roles, users, and groups) that the specified managed policy is attached to:

aws iam list-entities-for-policy
	--policy-arn arn:aws:iam::aws:policy/AmazonRDSFullAccess
	--query '{"PolicyGroups": PolicyGroups[*].GroupName, "PolicyUsers": PolicyUsers[*].UserName, "PolicyRoles": PolicyRoles[*].RoleName}'

02 The command output should return the names of the IAM identities associated with the selected policy:

{
    "PolicyGroups": [
        "cc-project5-iam-group"
    ],
    "PolicyUsers": [
        "cc-project5-db-user"
    ],
    "PolicyRoles": [
        "cc-rds-developer-role"
    ]
}

03 Depending on the type of the IAM identity (role, user, or group) associated with your unapproved managed policy, execute one of the following commands:

  1. If the policy is attached to an IAM group, run detach-group-policy command (OSX/Linux/UNIX) to detach the selected managed policy from the specified IAM group. The following command example removes a managed, unapproved policy, identified by the ARN "arn:aws:iam::aws:policy/AmazonRDSFullAccess", from an IAM group named "cc-project5-iam-group" (the command does not produce an output):
    aws iam detach-group-policy
    	--group-name cc-project5-iam-group
    	--policy-arn arn:aws:iam::aws:policy/AmazonRDSFullAccess
    
  2. If the policy is attached to an IAM user, run detach-user-policy command (OSX/Linux/UNIX) to detach the selected managed policy from the specified IAM user (the command does not return an output):
    aws iam detach-user-policy
    	--user-name cc-project5-db-user
    	--policy-arn arn:aws:iam::aws:policy/AmazonRDSFullAccess
    
  3. If the policy is attached to an IAM role, run detach-role-policy command (OSX/Linux/UNIX) to detach the selected managed policy from the specified IAM role (the command does not produce an output):
    aws aws iam detach-role-policy
    	--role-name cc-rds-developer-role
    	--policy-arn arn:aws:iam::aws:policy/AmazonRDSFullAccess
    

04 Repeat steps no. 1 – 3 to deactivate (detach) other unapproved Amazon IAM managed policies used within your AWS cloud account.

References

Publication date Dec 30, 2020

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Unapproved IAM Policy in Use

Risk level: High