Open menu
-->

AWS IAM Users with Admin Privileges

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Ensure that there are no Amazon IAM users with administrator permissions (i.e. privileged users) available in your AWS account in order to adhere to IAM security best practices and implement the principle of least privilege (the practice of providing every user the minimal amount of access required to perform its tasks). A privileged IAM user is an IAM identity that has full access to AWS services and resources through the AdministratorAccess IAM managed policy. Cloud Conformity strongly recommends that the IAM administration and permission management within your AWS account should be divided between two well-defined roles: IAM Master and IAM Manager. The IAM Master and IAM Manager role policies must replace the AdministratorAccess policy attached to privileged IAM user in order to create and configure other IAM users and roles with limited permissions that follow the same principle of least privilege.

This rule resolution is part of the Cloud Conformity Security Package

When an IAM user with administrator-level permissions (i.e. has authorization to modify or remove any resource, access any data within the AWS environment and use any service or component) is used by an inexperienced person within your organization, his actions can lead to severe security problems, data leaks, data loss or unexpected charges on your AWS bill.

Audit

To determine if each IAM group available in your AWS account has at least one user attached, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Users.

04 Click on the username of the AWS IAM user that you want to examine.

05 On the IAM user Summary page, select the Permissions tab from the bottom panel.

06 Inside the Access Policies section, verify the name of each managed access policy currently attached to the IAM user. If the name of the access policy attached is set to "AdministratorAccess", the selected IAM user has AWS administrator-level permissions, therefore the admin access policy implemented for the current AWS account is not following the IAM security best practices.

07 Repeat steps no. 4 – 6 to verify the IAM access policy for other Amazon IAM users available in your AWS account.

Using AWS CLI

01 Run list-users command (OSX/Linux/UNIX) using custom query filters to list the names of all IAM users currently available within your AWS account:

aws iam list-users
	--output table
	--query 'Users[*].UserName'

02 The command output should return a table with the requested IAM user identifiers:

--------------------------
|        ListUsers       |
+------------------------+
|  cc-aws-administrator  |
|  elasticsearch-manager |
|  ...                   |
|  amazon-ec2-manager    |
|  aws-dev-manager       |
+------------------------+

03 Run list-attached-user-policies command (OSX/Linux/UNIX) using the name of the IAM user that you want to examine as identifier and custom filtering to list the names of the managed access policies currently attached to the selected AWS IAM user:

aws iam list-attached-user-policies
	--user-name cc-aws-administrator
	--output table
	--query 'AttachedPolicies[*].PolicyName'

04 The command output should return a table that contains the name of the managed policy (or policies) attached to the IAM user:

--------------------------
|ListAttachedUserPolicies|
+------------------------+
|  AdministratorAccess   |
+------------------------+

If the table with the requested metadata returned by the command output contains a managed policy named "AdministratorAccess", the selected IAM user has AWS administrator-level permissions (given by the AdministratorAccess policy), therefore the admin access policy implemented for your AWS account is not following the IAM security best practices.

05 Repeat step no. 3 and 4 to check the IAM access policy for other Amazon IAM users created within your AWS account.

Remediation/Resolution

To adhere to security best practices and implement the IAM Master and IAM Manager role policies for your privileged AWS IAM user, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Users.

04 Click on the privileged AWS IAM user that you want to reconfigure.

05 On the IAM user Summary page, select the Permissions tab from the bottom panel.

06 Find the AWS AdministratorAccess managed policy and detach it from the selected IAM user access configuration by clicking the x icon available next to the policy entry:

x icon

07 Within the Detach policy dialog box, click Detach to confirm the action.

08 Now follow this conformity rule to implement proper IAM administration and permission management with IAM Master and IAM Manager roles.

09 Once the IAM Master and IAM Manager access policies have been created and attached to the necessary IAM groups, go back to the Users page and select again the privileged IAM user.

10 On the selected IAM user Summary page, select the Groups tab from the bottom panel and click Add user to groups to assign the privileged user to the IAM-Masters group created at step no. 8.

11 On the Add User to Groups page, select IAM-Masters group then click Add to Groups button to confirm the action. The privileged IAM user will now inherit the necessary IAM Master role policy.

Using AWS CLI

01 Run detach-user-policy command (OSX/Linux/UNIX) using the name of the IAM user that you want to reconfigure as identifier (see Audit section part II to identify the right IAM resource) to remove the AdministratorAccess managed access policy that provides administrator-level permissions to the selected AWS IAM user. The following command examples will detach the managed policy identified by the ARN "arn:aws:iam::aws:policy/AdministratorAccess" from an IAM user named "cc-aws-administrator" (the command does not produce an output):

aws iam detach-user-policy
	--user-name cc-aws-administrator
	--policy-arn arn:aws:iam::aws:policy/AdministratorAccess

02 Follow this conformity rule to implement proper IAM administration and permission management with IAM Master and IAM Manager roles.

03 Once the IAM Master and IAM Manager access policies have been created and attached to the necessary IAM groups, run add-user-to-group command (OSX/Linux/UNIX) to add the privileged user to the IAM-Masters group created at the previous step. The following command example adds an IAM user named "cc-aws-administrator" to an IAM group identified by the name "IAM-Masters" (the command does not return an output):

aws iam add-user-to-group
	--user-name cc-aws-administrator
	--group-name "IAM-Masters"

If successful, the privileged IAM user will inherit the AWS IAM Master role access policy.

References

Publication date Jun 21, 2017