Open menu
-->

IAM Role Policy Too Permissive

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 06 February 2017
Security

Risk level: Medium (should be achieved)

Ensure that the access policies attached to your IAM roles adhere to the principle of least privilege by giving the roles the minimal set of actions required to perform successfully their tasks

Providing the right permissions for your IAM roles will significantly reduce the risk of unauthorized access (through API requests) to your AWS resources and services.

Audit

Case A: To determine if your Amazon IAM role policies allow all actions (i.e. "*"), perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Roles.

04 Click on the AWS IAM role that you want to examine.

05 On the IAM role configuration page, select the Permissions tab from the bottom panel.

06 Inside the Managed Policies and/or Inline Policies section(s), click the Show Policy link:

Show Policy link

to open the attached IAM policy.

07 In the Show Policy dialog box, identify the Action element and its current value. If the element value is set to "*", all existing actions can be performed by the AWS resource(s) defined within the policy statement, therefore the IAM policy is too permissive.

Using AWS CLI

01 Run list-roles command (OSX/Linux/UNIX) using custom query filters to list the names of all IAM roles created within your AWS account:

aws iam list-roles 
  --output table 
  --query 'Roles[*].RoleName'

02 The command output should return a table with the requested identifiers:

------------------------------------
|             ListRoles            |
+----------------------------------+
|  ec2-manager                     |
|  redshift-manager                |
|  ...                             |
|  CloudTrail_CloudWatchLogs_Role  |
+----------------------------------+

03 Run list-role-policies command (OSX/Linux/UNIX) using your IAM role identifier to list the names of the permissions policies for the selected role:

aws iam list-role-policies 
    --role-name ec2-manager

04 The command output should return the policy name attached to the IAM role:

{
   "PolicyNames": [
      "ec2-admin-custom-policy"
   ]
}

05 Run get-role-policy command (OSX/Linux/UNIX) to describe the policy document (JSON format) attached to the selected IAM role:

aws iam get-role-policy
    --role-name ec2-manager
    --policy-name ec2-admin-custom-policy

06 The command output should return the IAM role policy metadata (including the policy document - highlighted):

{
  "RoleName": "ec2-manager",
  "PolicyDocument": {
      "Statement": [
          {
              "Action": "*",
              "Effect": "Allow",
              "Resource": "*",
              "Sid": "ID-155"
          }
      ]
  }
  "PolicyName": "ec2-admin-custom-policy"
}

If the Action element value for the returned policy document is set to "*" (as shown in the example above), all actions can be performed by the AWS resource(s) defined within the policy statement section, therefore the IAM policy used for the role is too permissive.

Case B: To determine if your AWS IAM role policies give access to all IAM actions (i.e. "iam:*"), perform the following

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Roles.

04 Click on the IAM role that you want to examine.

05 On the IAM role configuration page, select the Permissions tab from the bottom panel.

06 Inside the Managed Policies and/or Inline Policies section(s), click the Show Policy link to open the attached IAM policy.

07 In the Show Policy dialog box, identify the Action element and its current value. If the element value is set to "iam:*", all IAM service actions can be performed by the AWS resource(s) defined within the policy statement (i.e. full access to IAM), therefore the role policy is too permissive.

Using AWS CLI

01 Run list-roles command (OSX/Linux/UNIX) using custom query filters to list the names of all IAM roles created within your AWS account:

aws iam list-roles 
    --output table 
    --query 'Roles[*].RoleName'

02 The command output should return a table with the requested identifiers:

------------------------------------
|             ListRoles            |
+----------------------------------+
|  ec2-admin-role                  |
|  redshift-cluster-manager        |
+----------------------------------+

03 Run list-role-policies command (OSX/Linux/UNIX) using your IAM role identifier to list the names of the permissions policies for the selected role:

aws iam list-role-policies 
    --role-name ec2-admin-role

04 The command output should return the policy name attached to the IAM role:

{
   "PolicyNames": [
      "ec2-role-access-policy"
   ]
}

05 Run get-role-policy command (OSX/Linux/UNIX) using custom query filters to describe the policy document attached to the selected AWS IAM role:

aws iam get-role-policy
    --role-name ec2-admin-role
    --policy-name ec2-role-access-policy
    --query 'PolicyDocument'

06 The command output should return the IAM role policy document currently attached:

{
   {
      "Statement": [
          {
              "Action": "iam:*",
              "Effect": "Allow",
              "Resource": "*",
              "Sid": "ID-045"
          }
      ]
   }
}

If the Action element value for the returned policy document is set to " iam:*" (as shown in the example above), the policy provides full access to IAM, therefore the policy attached to the selected role is too permissive.

Case C: To determine if your AWS IAM role policies allow "sts:AssumeRole" from anyone, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Roles.

04 Click on the IAM role that you want to examine.

05 On the IAM role configuration page, select the Trust Relationships tab from the bottom panel.

06 Click the Trust Relationships button to open the attached policy.

07 On the Edit Trust Relationship page, identify the Action and Principal elements and their current values. If the Action element value is set to "sts:AssumeRole" and the Principal element value is set to { "AWS": "*" }, anyone (any IAM entity) can assume the role, therefore the Trusted Entities policy attached to the selected IAM role is too permissive.

Using AWS CLI

01 Run list-roles command (OSX/Linux/UNIX) using custom query filters to list the names of all IAM roles created within your AWS account:

aws iam list-roles 
    --output table 
    --query 'Roles[*].RoleName'

02 The command output should return a table with the requested identifiers:

------------------------------------
|             ListRoles            |
+----------------------------------+
|  ec2-webapp-role                 |
|  CloudTrail_CloudWatchLogs_Role  |
+----------------------------------+

03 Run again list-roles command (OSX/Linux/UNIX) using your IAM role name as identifier to describe the Trusted Entities policy attached to the selected role:

aws iam list-roles 
    --query 'Roles[*].AssumeRolePolicyDocument'

04 The command output should return the policy document requested:

{
    {
	  "Version": "2012-10-17",
	  "Statement": [
	    {
	      "Effect": "Allow",
	      "Principal": {
	        "AWS": "*"
	      },
	      "Action": "sts:AssumeRole"
	    }
	  ]
    }
}

If the Action element value is set to "sts:AssumeRole" and the Principal element value is set to { "AWS": "*" } – as shown in the example above, anyone can be rendered as trusted entity to assume the role, therefore the Trusted Entities policy attached to the selected IAM role is too permissive.

Case D: To determine if your AWS IAM role policies allow to pass any roles to EC2 instances using "iam:PassRole" action, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Roles.

04 Click on the IAM role that you want to examine.

05 On the IAM role configuration page, select the Permissions tab from the bottom panel.

06 Inside the Managed Policies and/or Inline Policies section(s), click the Show Policy link to open the attached IAM policy.

07 In the Show Policy dialog box, identify the Action element and its current value. If the element value contains "iam:PassRole" and the Resource element value ends with a wildcard character (*), the policy allows the role to pass any other roles specified in the Resource block to the EC2 instance, therefore the AWS IAM policy is too permissive.

Using AWS CLI

01 Run list-roles command (OSX/Linux/UNIX) using custom query filters to list the names of all IAM roles created within your AWS account:

aws iam list-roles 
    --output table 
    --query 'Roles[*].RoleName'

02 The command output should return a table with the requested identifiers:

------------------------------------
|             ListRoles            |
+----------------------------------+
|  ec2-webapp-manager              |
|  redshift-data-manager           |
+----------------------------------+

03 Run list-role-policies command (OSX/Linux/UNIX) using your IAM role identifier to list the names of the permissions policies for the selected role:

aws iam list-role-policies 
    --role-name ec2-webapp-manager

04 The command output should return the policy name attached to the IAM role:

{
   "PolicyNames": [
      "ec2-webapp-manager-policy"
   ]
}

05 Run get-role-policy command (OSX/Linux/UNIX) using custom query filters to describe the policy document attached to the selected AWS IAM role:

aws iam get-role-policy
    --role-name ec2-webapp-manager
    --policy-name ec2-webapp-manager-policy
    --query 'PolicyDocument'

06 The command output should return the IAM role policy document currently attached:

{
    {
    "Version": "2012-10-17",
    "Statement": [{
      "Effect": "Allow",
      "Action": [
        "iam:PassRole",
        "ec2:*"
      ],
      "Resource": "arn:aws:iam::123456789012:role/*"
    }]
    } 
}

If the Action element value for the returned policy document contains "iam:PassRole" and the Resource element value ends with a wildcard character (as shown in the example above), the policy allows the IAM role to pass any roles specified in the Resource block to the EC2 instance, therefore the IAM policy is too permissive.

Case E: "NotAction" policy elements combined with "Effect": "Allow" blocks often provides more privilege than is desired. To determine if your AWS IAM role policies contain "NotAction" elements, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Roles.

04 Click on the IAM role that you want to examine.

05 On the IAM role configuration page, select the Permissions tab from the bottom panel.

06 Inside the Managed Policies and/or Inline Policies section(s), click the Show Policy link to open the attached IAM policy.

07 In the Show Policy dialog box, identify any NonAction elements defined within the policy document. If the permissions policy has NonAction elements, the IAM policy attached to the selected role is too permissive.

Using AWS CLI

01 Run list-roles command (OSX/Linux/UNIX) using custom query filters to list the names of all IAM roles created within your AWS account:

aws iam list-roles 
    --output table 
    --query 'Roles[*].RoleName'

02 The command output should return a table with the requested identifiers:

------------------------------------
|             ListRoles            |
+----------------------------------+
|  ec2-appserver-manager           |
|  redshift-data-manager           |
+----------------------------------+

03 Run list-role-policies command (OSX/Linux/UNIX) using your IAM role identifier to list the names of the permissions policies for the selected role:

aws iam list-role-policies 
    --role-name ec2-webapp-manager

04 The command output should return the policy name attached to the IAM role:

{
   "PolicyNames": [
      "ec2-appserver-policy"
   ]
}

05 Run get-role-policy command (OSX/Linux/UNIX) using custom query filters to describe the policy document attached to the selected AWS IAM role:

aws iam get-role-policy
    --role-name ec2-webapp-manager
    --policy-name ec2-webapp-manager-policy
    --query 'PolicyDocument'

06 The command output should return the IAM role policy document currently attached:

{
   {
     "Version": "2012-10-17",
     "Statement": {
       "Effect": "Allow",
       "NotAction": [
         "sqs:CreateQueue",
         "sqs:DeleteQueue"       
       ],
       "Resource": "*"
    }
  } 
}

If the policy document returned at the previous step contains NonAction elements in combination with "Effect": "Allow" blocks (as shown in the example above), the verified IAM role policy is too permissive.

Case A: To update the IAM role policies that allow all actions (i.e. "*") in order to implement the principle of least privilege, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Roles.

04 Click on the IAM role that you want to reconfigure.

05 On the IAM role configuration page, select the Permissions tab from the bottom panel.

06 Inside the Managed Policies and/or Inline Policies section(s), click on the policy name (link), e.g.

click on the policy name (link)

to open the attached IAM policy for editing.

07 On the Policy Details page, select the Policy Document tab and click the Edit button to enter in the edit mode.

08 Update the selected policy by replacing the Action element value (i.e. "*") with specific action names based on your requirements.

09 Click Validate Policy to validate the changes.

10 Click the Save button to apply the policy changes.

Using AWS CLI

01 First, define your new IAM access policy and replace the Action element value "*" with specific service actions based on your requirements then save the policy in a JSON document (e.g. new-iam-access-policy.json). You can also use the AWS Policy Generator available at https://awspolicygen.s3.amazonaws.com/policygen.html to build custom access policies for your IAM roles The following example contains a role policy document that allows viewing the EC2 instances, AMIs and snapshots metadata:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
          "ec2:DescribeInstances", 
          "ec2:DescribeImages",
          "ec2:DescribeSnapshots"
      ],
      "Resource": "*"
    }
  ]
}

01 Depending on whether you need to update an IAM managed policy or an inline policy, run one of the following commands:

  1. If the policy attached to your role is an IAM managed policy, run create-policy-version command (OSX/Linux/UNIX) using the policy document created at the previous step to create a new version of the managed policy:
    aws iam create-policy-version
        --policy-arn arn:aws:iam::123456789012:policy/ec2-admin-custom-policy
        --policy-document file://new-iam-access-policy.json
        --set-as-default
    
  2. If the policy attached to your IAM role is an inline policy, run put-role-policy command (OSX/Linux/UNIX) using the policy document created at step no. 1 and the name of the role that you want to reconfigure (see Audit section part II to identify the right resource):
    aws iam put-role-policy
        --role-name ec2-manager
        --policy-name ec2-custom-inline-policy
        --policy-document file://new-iam-access-policy.json
    

Case B: To update the IAM role policies that allow all IAM actions (i.e. "iam:*") in order to implement the principle of least privilege, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Roles.

04 Click on the IAM role that you want to reconfigure.

05 On the IAM role configuration page, select the Permissions tab from the bottom panel.

06 Inside the Managed Policies and/or Inline Policies section(s), click on the policy name (link) to open the attached IAM policy for editing.

07 On the Policy Details page, select the Policy Document tab and click the Edit button to enter in the edit mode.

08 Update the selected policy by replacing the Action element value (i.e. "iam:*" – full IAM access) with specific IAM service actions, based on the access plan that you want to achieve for the selected role.

09 Click Validate Policy to validate the changes.

10 Click the Save button to apply the policy changes.

Using AWS CLI

01 Define your new IAM access policy and replace the Action element value "iam:*" with specific service actions based on your requirements then save the policy in a JSON document (e.g. new-iam-access-policy.json). You can also use the AWS Policy Generator available at https://awspolicygen.s3.amazonaws.com/policygen.html to build custom access policies for your IAM roles. The following example contains a role policy document that allows getting the SSH public key for authenticating to an AWS CodeCommit repository:

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:GetSSHPublicKey" ], "Effect": "Allow", "Resource": "*" } ] }

02 Depending on whether you need to update an IAM managed policy or an inline policy, run one of the following commands:

  1. If the policy attached to your role is an IAM managed policy, run create-policy-version command (OSX/Linux/UNIX) using the policy document created at the previous step to create a new version of the managed policy:
    aws iam create-policy-version
        --policy-arn arn:aws:iam::123456789012:policy/ec2-role-access-policy
        --policy-document file://new-iam-access-policy.json
        --set-as-default
    
  2. Depending on whether you need to update an IAM managed policy or an inline policy, run one of the following commands:
    1. If the policy attached to your IAM role is an inline policy, run put-role-policy command (OSX/Linux/UNIX) using the policy document created at step no. 1 and the name of the selected role (see Audit section part II to identify the right resource):
      aws iam put-role-policy
          --role-name ec2-admin-role
          --policy-name ec2-admin-inline-policy
          --policy-document file://new-iam-access-policy.json
      

Case C: To update the Trusted Entities policies for your IAM roles in order to implement the principle of least privilege, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Roles.

04 Click on the IAM role that you want to reconfigure.

05 On the IAM role configuration page, select the Trust Relationships tab from the bottom panel.

06 Click the Trust Relationships button to open the attached policy.

07 On the Edit Trust Relationship page, replace the Principal element value with an AWS trusted entity such as EC2 service (e.g. "Service": "ec2.amazonaws.com"), entity that will assume the role.

08 Click Update Trust Policy to apply the policy changes.

Using AWS CLI

01 Define your new trust policy and replace the Principal element current value with an AWS trusted entity that can assume the role, then save the policy in a JSON document (e.g. new-trust-policy.json). You can also use the AWS Policy Generator available at https://awspolicygen.s3.amazonaws.com/policygen.html to build custom trust policies for your IAM roles. The following example describes a Trusted Entities policy that allows only the EC2 service to assume the IAM role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

02 Run update-assume-role-policy (OSX/Linux/UNIX) using the trust policy document created at the previous step and the name of the IAM role that you want to reconfigure (the command does not produce an output):

aws iam update-assume-role-policy
    --role-name ec2-webapp-role
    --policy-document file://new-trust-policy.json

Case D: To update the IAM role policies that allow passing any roles to EC2 instances using "iam:PassRole" action, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Roles.

04 Click on the IAM role that you want to reconfigure.

05 On the IAM role configuration page, select the Permissions tab from the bottom panel.

06 Inside the Managed Policies and/or Inline Policies section(s), click on the policy name (link) to open the attached IAM policy for editing.

07 On the Policy Details page, select the Policy Document tab and click the Edit button to enter in the edit mode.

08 Update the selected policy by replacing the wildcard character (*) at the end of the resource ARN (e.g. "arn:aws:iam::123456789012:role/*") with a specific role name in order to limit this permission to a certain IAM role.

09 Click Validate Policy to validate the changes.

10 Click the Save button to apply the policy changes.

Using AWS CLI

01 Define your new IAM access policy and replace the wildcard character (*) within the resource ARN with a specific IAM role name (e.g. ec2-update-webapp), then save the policy document (JSON format) within a file named new-iam-access-policy.json:

{ { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::123456789012:role/ec2-update-webapp" } ] } }

02 Depending on whether you need to update an IAM managed policy or an inline policy, run one of the following commands:

  1. If the policy attached to your role is an IAM managed policy, run create-policy-version command (OSX/Linux/UNIX) using the policy document created at the previous step to create a new version of the managed policy:
    aws iam create-policy-version --policy-arn arn:aws:iam::123456789012:policy/ec2-webapp-manager-policy --policy-document file://new-iam-access-policy.json --set-as-default
  2. If the policy attached to your IAM role is an inline policy, run put-role-policy command (OSX/Linux/UNIX) using the policy document created at step no. 1 and the name of the selected role (see Audit section part II to identify the right resource):
    aws iam put-role-policy --role-name ec2-webapp-manager --policy-name ec2-webapp-inline-policy --policy-document file://new-iam-access-policy.json

Case E: To update the IAM role policies that combine "NotAction" policy elements with "Effect": "Allow" blocks, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Roles.

04 Click on the IAM role that you want to reconfigure.

05 On the IAM role configuration page, select the Permissions tab from the bottom panel.

06 Inside the Managed Policies and/or Inline Policies section(s), click on the policy name (link) to open the attached IAM policy for editing.

07 On the Policy Details page, select the Policy Document tab and click the Edit button to enter in the edit mode.

08 Update the selected access policy by replacing the NonAction element definition with an Action block definition that contains only the desired action(s) that can be used by the AWS resource(s) defined within the Resource block.

09 Click Validate Policy to validate the changes.

10 Click the Save button to apply the policy changes.

Using AWS CLI

01 First, define your new trust policy and replace the NonAction block definition with an Action block definition that contains only the desired service action(s), then save the policy in a JSON document (e.g. new-trust-policy.json). You can also use the AWS Policy Generator available at https://awspolicygen.s3.amazonaws.com/policygen.html to build custom trust policies for your IAM roles. The following example describes a IAM role policy that allows to send and receive messages to/from any SQS queues:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "sqs:ReceiveMessage",
        "sqs:SendMessage"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
} 

02 Depending on whether you need to update an IAM managed policy or an inline policy, run one of the following commands:

  1. If the policy attached to your role is an IAM managed policy, run create-policy-version command (OSX/Linux/UNIX) using the policy document created at the previous step to create a new version of the managed policy:
    aws iam create-policy-version
        --policy-arn arn:aws:iam::123456789012:policy/ec2-appserver-policy
        --policy-document file://new-iam-access-policy.json
        --set-as-default
    
  2. If the policy attached to your IAM role is an inline policy, run put-role-policy command (OSX/Linux/UNIX) using the policy document created at step no. 1 and the name of the selected role (see Audit section part II to identify the right resource):
    aws iam put-role-policy
        --role-name ec2-appserver-manager
        --policy-name ec2-appserver-inline-policy
        --policy-document file://new-iam-access-policy.json
    

References

Publication date Feb 6, 2017