Excessive permissions are granted for IAM groups

Description

When configuring and managing IAM groups in AWS, it is essential to follow the Principle of Least Privilege (POLP). This security framework mandates that only the minimal permissions necessary to perform a specific task are granted. To effectively implement this principle, developers must assess the exact requirements of each group (and associated roles), and then design IAM policy documents that authorize only those necessary actions.

To ensure that IAM entities are assigned only the required privileges, Prowler performs the following operations:

  • Extracts data from AWS Access Advisor, including information on the last accessed actions for services specified in the IAM policy.
  • Cross-references the permissions granted at the service level with the actual permissions used by each user, role, group, or policy over the last 90 days. This analysis helps to identify any excessive or unused permissions.

For example, if a group is associated with a policy that grants permissions that are not being actively used, Prowler will recommend revoking the unnecessary permissions for that group, thereby minimizing the security risk.

Upon selecting an insight and reviewing a specific IAM entity, Prowler presents a color-coded and symbol-labeled list of permissions, visually indicating how the permissions of the selected entity would be adjusted if the recommended changes are applied. This provides a clear view of how permissions will change post-recommendation, facilitating informed decision-making.

Fix - Runtime

AWS Console

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon IAM console.
    In the navigation pane, choose Groups.
  3. Choose the name of the group with the policy that you want to modify. Then choose the Permissions tab.
  4. To edit an inline policy, click Edit Policy.
  5. After you have modified your JSON policy, click Save .

CLI Command

To detach a managed policy from a group identity use one of the following commands:
aws iam detach-group-policy

Fix - Buildtime

Terraform

  • Resource:aws_iam_group_policy
  • Argument: policy – (Required) The policy document. This is a JSON formatted string.
resource "aws_iam_group_policy" "my_developer_policy" {
  name  = "my_developer_policy"
  group = aws_iam_group.my_developers.name

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

CloudFormation

  • Resource: AWS::IAM::Group
  • Argument: Policies – Adds or updates an inline policy document that is embedded in the specified IAM group. To view AWS::IAM::Group snippets, see Declaring an IAM Group Resource.
Type: AWS::IAM::Group
Properties: 
  GroupName: String
  ManagedPolicyArns: 
    - String
  Path: String
  Policies: 
    - Policy
ReLambda