Open menu
-->

IAM Customer Managed Policy with Administrative Permissions In Use

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure there is an IAM customer managed policy that allows administrative privileges for all AWS services and components, available within your AWS account. Prior to running this rule by the Cloud Conformity engine, the name of the admin policy must be defined in the rule settings, on your Cloud Conformity account dashboard.

This rule resolution is part of the Cloud Conformity Security Package

An IAM managed policy is a standalone policy (i.e. has its own ARN) that can be attached to your IAM identities (users, groups and roles) and cannot be applied to resources. An IAM customer managed policy that provides administrator-level permissions is a policy that contains the following statement: "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ]. When this admin policy is attached to an IAM user, role or group, the IAM identity has the authorization to provision, configure or remove any AWS resource, access data, and use any AWS service or component. An IAM customer managed policy with administrative permissions must exist in your AWS account for administration purposes.

Audit

To determine if there is an IAM customer managed policy that allows administrative privileges available in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access IAM Customer Managed Policy with Administrative Permissions In Use conformity rule settings and copy the name of the IAM admin policy defined for your AWS account.

02 Sign in to the AWS Management Console.

03 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

04 In the left navigation panel, choose Policies.

05 From the Filter dropdown menu, select Customer managed to list only the customer managed policies currently available.

06 Paste the name of the IAM policy copied at step no. 1 inside the Search box and press Enter. If the search process does not return any customer managed policies, there is no IAM admin policy created within the current AWS account and the audit process ends here. If the search process returns an IAM customer managed policy as result, the audit process continues with the next step.

07 Click on the name (link) of the IAM policy that you want to examine.

08 Select Permissions tab and click {} JSON button to access the selected managed policy document in JSON format.

09 Inside the policy document box, search for the statement with the following combination of elements: "Effect": "Allow", "Action": "*", "Resource": "*", i.e.

Effect Allow Action Resource

If the verified customer managed policy does not have the specified combination, the selected AWS IAM policy does not provide administrative privileges, therefore there is no IAM admin policy created for administration purposes available within your AWS account.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access IAM Customer Managed Policy with Administrative Permissions In Use conformity rule settings and copy the name of the IAM admin policy defined for your AWS account.

02 Run list-policies command (OSX/Linux/UNIX) using the name of the IAM customer managed policy copied at the previous step as input parameter for custom query filters to list the admin policy ARN (if any). Replace <ADMIN_POLICY_NAME> with the name of your IAM admin policy listed within the conformity rule settings:

aws iam list-policies
	--query "Policies[?PolicyName == '<ADMIN_POLICY_NAME>'].Arn"

03 The command request should return one of the following outputs:

  1. If the list-policies command output returns an empty array (i.e. []), as shown in the example below, there is no IAM admin policy created within the current AWS account and the audit process ends here.
    []
    
  2. If the command output returns the requested IAM policy ARN, as shown in the example below, the audit process continues with the next step:
    [
        "arn:aws:iam::123456789012:policy/<ADMIN_POLICY_NAME>"
    ]
    

04 Run get-policy-version command (OSX/Linux/UNIX) using the ARN of the IAM policy that you want to examine as identifier, returned at the previous step, to describe the policy document in JSON format:

aws iam get-policy-version
	--policy-arn arn:aws:iam::123456789012:policy/<ADMIN_POLICY_NAME>
	--version-id v1
	--query 'PolicyVersion.Document'

05 The command output should return the requested IAM policy document:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "123456789012",           
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": "*"
        }
    ]
}

Search for the following combination of elements: "Effect": "Allow", "Action": "*", "Resource": "*" within the JSON document returned by the get-policy-version command output. If the verified IAM customer managed policy does not contain the specified combination, the selected AWS IAM policy does not allow administrative privileges for all AWS services and components, therefore the IAM policy is not compliant.

Remediation / Resolution

To create an Amazon IAM customer managed policy with administrative permissions, required for administration purposes, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Policies.

04 Click the Create button from the dashboard top menu to initiate the policy setup process.

05 On the Create policy page, select JSON tab and paste the following policy document:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

06 Click Review policy to name the new customer managed policy and review its permissions before saving it.

07 On the Review policy panel, provide a name for the IAM admin policy in the Name box and a short description in the Description box.

08 Once the IAM admin policy is properly named and reviewed, click Create policy to save the changes.

Using AWS CLI

01 Define the required set of permissions (i.e. admin policy) that should allow an IAM identity (user, group or role) to access all AWS services and components. Save the following IAM admin policy within a JSON document named iam-admin-policy.json:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "full-admin-access",
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

02 Run create-policy command (OSX/Linux/UNIX) using the policy document listed at the previous step, to create the required IAM customer managed policy, that would provide administrative privileges for all services within your AWS account. Replace <ADMIN_POLICY_NAME> with your own IAM admin policy name:

aws iam create-policy
	--policy-name <ADMIN_POLICY_NAME>
	--policy-document file://iam-admin-policy.json

03 The command output should return the metadata for the new IAM admin policy:

{
    "Policy": {
        "PolicyName": "<ADMIN_POLICY_NAME>",
        "CreateDate": "2018-03-22T18:52:45Z",
        "AttachmentCount": 0,
        "IsAttachable": true,
        "PolicyId": "AAAABBBBCCCCDDDDEEEEF",
        "DefaultVersionId": "v1",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:policy/<ADMIN_POLICY_NAME>",
        "UpdateDate": "2018-03-22T18:52:45Z"
    }
}

References

Publication date Apr 12, 2018