Ensure excessive permissions are not granted for IAM policy

Home
»
AWS Documentation
»
IAM
»
Ensure excessive permissions are not granted for IAM policy

Excessive permissions are granted for IAM policy

Description

When designing and modifying IAM policies in AWS, it is critical to adhere to the Principle of Least Privilege (POLP). This security paradigm ensures that only the minimum required permissions are granted to perform a specific action or task. Implementing this principle involves a thorough assessment of the required actions for each user and role, followed by the creation of precise IAM policy documents that permit only those actions.

To enforce the principle of least privilege across existing IAM entities, Prowler performs the following operations:

Retrieves data from AWS Access Advisor, which includes detailed information on the last accessed actions for services defined within the IAM policies.
Analyzes the service-level permissions granted versus the actual permissions exercised by users, roles, groups, or policies over the past 90 days. This comparison identifies discrepancies between granted and utilized permissions.

For instance, if a role is associated with a policy that grants more permissions than those actively used by the role, Prowler will recommend revoking the excess permissions, ensuring adherence to least privilege.

When reviewing an insight and selecting an IAM entity, Prowler presents a color-coded and symbol-annotated list of permissions. This visualization highlights how the permissions for the selected IAM entity would be altered if the recommended changes are applied, providing a clear understanding of the impact on the entity’s access rights.

Fix - Runtime

AWS Console

Log in to the AWS Management Console at https://console.aws.amazon.com/.
Open the Amazon IAM console.
In the navigation pane, choose Policies.
In the list of policies, choose the policy name of the policy to edit. You can use the Filter menu and the search box to filter the list of policies.
Choose the Permissions tab, and then choose Edit Policy.

Fix - Buildtime

Terraform

Resource: aws_iam_policy
Argument: policy – (Required) The policy document. This is a JSON formatted string.

resource "aws_iam_policy" "policy" {
  name        = "test_policy"
  path        = "/"
  description = "My test policy"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

CloudFormation

Resource: AWS::IAM::Policy
Argument: PolicyDocument – Adds or updates an inline policy document that is embedded in the specified IAM group. To view AWS::IAM::Group snippets, see Declaring an IAM Group Resource.

Type: 'AWS::IAM::Policy'
Properties:
  PolicyName: CFNUsers
  PolicyDocument:
    Version: 2012-10-17
    Statement:
      - Effect: Allow
        Action:
          - 'cloudformation:Describe*'
          - 'cloudformation:List*'
          - 'cloudformation:Get*'
        Resource: '*'
  Groups:
    - !Ref CFNUserGroup