Ensure IAM policies that allow full administrative privileges are not created

Home
»
AWS Documentation
»
IAM
»
Ensure IAM policies that allow full administrative privileges are not created

IAM policies that allow full administrative privileges are created

Description

IAM policies are the primary mechanism for assigning permissions to users, groups, and roles within AWS. The principle of least privilege dictates that users should be granted only the minimum set of permissions necessary to complete their tasks. Assigning broad administrative privileges can expose AWS resources to unintended or potentially harmful actions.

Best Practices:

Define user roles and responsibilities first to ensure that policies are tailored specifically to the tasks they need to perform.
Avoid granting full administrative privileges to users unless absolutely necessary.
Start with the minimum set of permissions, and progressively grant additional access based on specific needs or evolving requirements.
Remove policies that contain statements with Effect: Allow, where the action is overly broad (e.g., Action: *) and the resource is not specifically restricted (e.g., Resource: *), as they represent excessive and potentially risky access.

By adhering to these guidelines, you can better secure your AWS environment and minimize the risk of privilege escalation or unauthorized actions.

Fix - Runtime

AWS Console

To detach the policy that has full administrative privileges, follow these steps:

Log in to the AWS Management Console at https://console.aws.amazon.com/.
Open the Amazon IAM console.
In the navigation pane, click Policies and then search for the policy name found in the audit step.
Select the policy to be deleted.
In the Policy Action menu, select first Detach.
Select all Users, Groups, and Roles that have this policy attached.
Click Detach Policy.
In the Policy Action menu, select Detach.

CLI command

To detach the policy that has full administrative privileges as found in the audit step, use the following commands:

Lists all IAM users, groups, and roles that the specified managed policy is attached to.

aws iam list-entities-for-policy --policy-arn <policy_arn>

Detach the policy from all IAM Users.

   aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>

Detach the policy from all IAM Groups.

   aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>

Detach the policy from all IAM Roles.

   aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>

Fix - Buildtime

Terraform

Resource: aws_iam_policy

resource "aws_iam_policy" "pass1" {
  name   = "pass1"
  path   = "/"
  policy = <<POLICY
{
  "Statement": [
    {
      "Action": [
        "s3:ListBucket*",
        "s3:HeadBucket",
        "s3:Get*"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::b1",
        "arn:aws:s3:::b1/*",
        "arn:aws:s3:::b2",
        "arn:aws:s3:::b2/*"
      ],
      "Sid": ""
    },
    {
      "Action": "s3:PutObject*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::b1/*",
      "Sid": ""
    }
  ],
  "Version": "2012-10-17"
}
POLICY
}