AWS IAM policy allows full administrative privileges
Description
IAM policies should adhere to the principle of least privilege, granting only the minimum set of permissions necessary for a user, role, or service to perform its tasks. Additional permissions should be granted only as needed. Assigning full administrative privileges when they are not explicitly required increases the risk of exposing resources to unintended or unauthorized actions, thereby broadening the attack surface and undermining security controls.
Fix - Runtime
AWS Console
- Log in to the AWS Management Console at https://console.aws.amazon.com/.
- Open the Amazon IAM console.
- In the navigation pane, click Policies and then search for the policy name found in the audit step.
- Select the policy that needs to be deleted.
- In the policy action menu, select first Detach.
- Select all Users, Groups, Roles that have this policy attached.
- Click Detach Policy.
- In the policy action menu, select Detach.
CLI Command
- List all IAM users, groups, and roles that the specified managed policy is attached to:
aws iam list-entities-for-policy --policy-arn <policy_arn>
- Detach the policy from all IAM Users:
aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>
- Detach the policy from all IAM Groups:
aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>
- Detach the policy from all IAM Roles:
aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>
Fix - Buildtime
Terraform
- Resources: aws_iam_policy
- Argument: policy – (Required) The policy document. This is a JSON formatted string. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide
resource "aws_iam_policy" "policy" {
name = "test_policy"
path = "/"
description = "My test policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
- "*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}