Ensure excessive permissions are not granted for IAM users

Home
»
AWS Documentation
»
IAM
»
Ensure excessive permissions are not granted for IAM users

Excessive permissions are granted for IAM users

Description

When managing IAM policies in AWS, it is essential to adhere to the principle of least privilege (POLP), a core security concept that ensures entities are granted only the permissions necessary to perform specific tasks. This approach mandates that developers analyze the specific actions required by users and roles, and then construct IAM policies that strictly limit access to those actions.

To enforce the principle of least privilege and ensure that only the necessary permissions are assigned to IAM entities, Prowler:

Extracts data from AWS Access Advisor, including details on the services and actions last accessed within the defined policy.
Compares the permissions granted at the service level with the actual permissions exercised by each user, role, group, or policy over the past 90 days.

For instance, if a role is attached to a policy, and the policy grants more permissions than the role has actually utilized, Prowler will recommend revoking the unused permissions to align with the least privilege principle.

When you select an insight and examine an IAM entity, Prowler presents a color-coded and symbol-labeled list of permissions. This list visually illustrates how the entity’s permissions would be modified if the recommended changes were implemented.

Fix - Runtime

AWS Console

Log in to the AWS Management Console at https://console.aws.amazon.com/.
Open the Amazon IAM console.
In the navigation pane, choose Users.
Choose the name of the user whose permissions boundary you want to remove.
Choose the Permissions tab.
If you want to revoke permissions by removing an existing policy, view the Policy type to understand how the user is getting that policy before choosing X to remove the policy.

CLI Command

To detach a managed policy from a user identity use one of the following command:
aws iam detach-user-policy

Fix - Buildtime

Terraform

Resource:aws_iam_user_policy
Argument: policy

resource "aws_iam_user_policy" "lb_ro" {
  name = "test"
  user = aws_iam_user.lb.name

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
-      "Resource": "*"
    }
  ]
}
EOF
}

CloudFormation

Resource: AWS::IAM::User
Argument: Policies – Adds or updates an inline policy document that is embedded in the specified IAM user. To view AWS::IAM::User snippets, see Declaring an IAM User Resource.

Type: AWS::IAM::User
Properties: 
  Groups: 
    - String
  LoginProfile: 
    LoginProfile
  ManagedPolicyArns: 
    - String
  Path: String
  PermissionsBoundary: String
  Policies: 
    - Policy
  Tags: 
    - Tag
  UserName: String