Open menu
-->

IAM Master and IAM Manager Roles

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (act today)

Ensure that the IAM administration and permission management within your AWS account is divided between two roles: IAM Master and IAM Manager. The IAM Master role duty is to create IAM users, groups and roles, while the IAM Manager role responsibility is to assign users and roles to groups.

Since AWS IAM is the main point of control for service configuration access within an AWS account, the best practice is to avoid promoting only one user to have full control over IAM. This conformity rule main goal is to enable both IAM Master and IAM Manager to work together in a two-person rule manner to provide IAM users and roles the access to the right permissions. Providing the right permissions to your users/roles will significantly reduce the risk of unauthorized access to your AWS resources.

Audit

To search for IAM Master and IAM Manager roles within your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Roles.

04 Click on the AWS IAM role that you want to examine.

05 On the IAM role configuration page, select the Permissions tab from the bottom panel.

06 Inside the Managed Policies and/or Inline Policies section(s), click the Show Policy link to open the attached IAM policy.

07 To identify the necessary role (IAM Master or IAM Manager) by analyzing the selected policy, perform the following:

  1. To identify the IAM Master role:
    • Within Show Policy window, search for the following set of Actions with an Allow effect:
      • iam:AttachRolePolicy
      • iam:CreateGroup
      • iam:CreatePolicy
      • iam:CreatePolicyVersion
      • iam:CreateRole
      • iam:CreateUser
      • iam:DeleteGroup
      • iam:DeletePolicy
      • iam:DeletePolicyVersion
      • iam:DeleteRole
      • iam:DeleteRolePolicy
      • iam:DeleteUser
      • iam:PutRolePolicy
      • iam:GetPolicy
      • iam:GetPolicyVersion
      • iam:GetRole
      • iam:GetRolePolicy
      • iam:GetUser
      • iam:GetUserPolicy
      • iam:ListEntitiesForPolicy
      • iam:ListGroupPolicies
      • iam:ListGroups
      • iam:ListGroupsForUser
      • iam:ListPolicies
      • iam:ListPoliciesGrantingServiceAccess
      • iam:ListPolicyVersions
      • iam:ListRolePolicies
      • iam:ListAttachedGroupPolicies
      • iam:ListAttachedRolePolicies
      • iam:ListAttachedUserPolicies
      • iam:ListRoles
      • iam:ListUsers
    • And for the following set of Actions with a Deny effect:
      • iam:AddUserToGroup
      • iam:AttachGroupPolicy
      • iam:DeleteGroupPolicy
      • iam:DeleteUserPolicy
      • iam:DetachGroupPolicy
      • iam:DetachRolePolicy
      • iam:DetachUserPolicy
      • iam:PutGroupPolicy
      • iam:PutUserPolicy
      • iam:RemoveUserFromGroup
      • iam:UpdateGroup
      • iam:UpdateAssumeRolePolicy
      • iam:UpdateUser
  2. To identify the IAM Manager role:
    • Within Show Policy window, search for the following set of Actions with an Allow effect:
      • iam:AddUserToGroup
      • iam:AttachGroupPolicy
      • iam:DeleteGroupPolicy
      • iam:DeleteUserPolicy
      • iam:DetachGroupPolicy
      • iam:DetachRolePolicy
      • iam:DetachUserPolicy
      • iam:PutGroupPolicy
      • iam:PutUserPolicy
      • iam:RemoveUserFromGroup
      • iam:UpdateGroup
      • iam:UpdateAssumeRolePolicy
      • iam:UpdateUser
      • iam:GetPolicy
      • iam:GetPolicyVersion
      • iam:GetRole
      • iam:GetRolePolicy
      • iam:GetUser
      • iam:GetUserPolicy
      • iam:ListEntitiesForPolicy
      • iam:ListGroupPolicies
      • iam:ListGroups
      • iam:ListGroupsForUser
      • iam:ListPolicies
      • iam:ListPoliciesGrantingServiceAccess
      • iam:ListPolicyVersions
      • iam:ListRolePolicies
      • iam:ListAttachedGroupPolicies
      • iam:ListAttachedRolePolicies
      • iam:ListAttachedUserPolicies
      • iam:ListRoles
      • iam:ListUsers
    • And for the following set of Actions with a Deny effect:
      • iam:AddUserToGroup
      • iam:AttachRolePolicy
      • iam:CreateGroup
      • iam:CreatePolicy
      • iam:CreatePolicyVersion
      • iam:CreateRole
      • iam:CreateUser
      • iam:DeleteGroup
      • iam:DeletePolicy
      • iam:DeletePolicyVersion
      • iam:DeleteRole
      • iam:DeleteRolePolicy
      • iam:DeleteUser
      • iam:PutRolePolicy

08 Assuming that the specified set of Actions for the IAM Master role or IAM Manager has been identified at the previous step, to confirm that one of the roles exists within the current AWS account, you need to verify the Trusted Entities policy for the role positively identified at the previous step in order to confirm that it can be assumable by at least one IAM user or IAM group. To finish the identification process by analyzing the selected the Trusted Entities policy, perform the following:

  1. On the selected IAM role configuration page, select the Trust Relationships tab from the bottom panel.
  2. Click the Trust Relationships button to open the attached policy.
  3. On the Edit Trust Relationship page, identify the Principal element which should indicate the service, the user and/or the group that is able to assume the selected role (if any). To match the rule criteria, make sure that no existing user or group is currently able to assume both IAM Master and IAM Manager roles.

09 If the conditions outlined at steps no. 7 and 8 were not met, the selected AWS IAM role does not qualify for the role of IAM Master or IAM Manager.

10 Repeat steps no. 4 – 9 to verify other existing Amazon IAM roles in order to identify the IAM Master or IAM Manager role necessary within the two-person configuration required for the desired IAM administration and management model outlined in this conformity rule.

Using AWS CLI

01 Run list-roles command (OSX/Linux/UNIX) using custom query filters to list the names of all IAM roles created within your AWS account:

aws iam list-roles
	--output table
	--query 'Roles[*].RoleName'

02 The command output should return a table with the requested identifiers:

------------------------------------
|             ListRoles            |
+----------------------------------+
|  iam-allaccess                   |
|  elasticsearch-manager           |
|  ...                             |
|  CloudTrail_CloudWatchLogs_Role  |
+----------------------------------+

03 Run list-role-policies command (OSX/Linux/UNIX) using your IAM role identifier to list the names of the permissions policies for the selected role:

aws iam list-role-policies
	--role-name iam-allaccess

04 The command output should return the policy name attached to the IAM role:

{
   "PolicyNames": [
      "iam-allaccess-custom-policy"
   ]
}

05 Run get-role-policy command (OSX/Linux/UNIX) to describe the policy document (JSON format) attached to the selected IAM role:

aws iam get-role-policy
	--role-name iam-allaccess
	--policy-name iam-allaccess-custom-policy
	--query 'PolicyDocument'

06 The command output should return the requested IAM role policy document, e.g:

{
   {
      "Statement": [
          {
              "Action": "iam:*",
              "Effect": "Allow",
              "Resource": "*",
              "Sid": "ID-078"
          }
      ]
   }
}

07 To identify the required role (IAM Master or IAM Manager) by analyzing the policy returned at the previous step, perform the following:

  1. To identify the IAM Master role:
    • Within Show Policy window, search for the following set of Actions with an Allow effect:
      • iam:AttachRolePolicy
      • iam:CreateGroup
      • iam:CreatePolicy
      • iam:CreatePolicyVersion
      • iam:CreateRole
      • iam:CreateUser
      • iam:DeleteGroup
      • iam:DeletePolicy
      • iam:DeletePolicyVersion
      • iam:DeleteRole
      • iam:DeleteRolePolicy
      • iam:DeleteUser
      • iam:PutRolePolicy
      • iam:GetPolicy
      • iam:GetPolicyVersion
      • iam:GetRole
      • iam:GetRolePolicy
      • iam:GetUser
      • iam:GetUserPolicy
      • iam:ListEntitiesForPolicy
      • iam:ListGroupPolicies
      • iam:ListGroups
      • iam:ListGroupsForUser
      • iam:ListPolicies
      • iam:ListPoliciesGrantingServiceAccess
      • iam:ListPolicyVersions
      • iam:ListRolePolicies
      • iam:ListAttachedGroupPolicies
      • iam:ListAttachedRolePolicies
      • iam:ListAttachedUserPolicies
      • iam:ListRoles
      • iam:ListUsers
    • And for the following set of Actions with a Deny effect:
      • iam:AddUserToGroup
      • iam:AttachGroupPolicy
      • iam:DeleteGroupPolicy
      • iam:DeleteUserPolicy
      • iam:DetachGroupPolicy
      • iam:DetachRolePolicy
      • iam:DetachUserPolicy
      • iam:PutGroupPolicy
      • iam:PutUserPolicy
      • iam:RemoveUserFromGroup
      • iam:UpdateGroup
      • iam:UpdateAssumeRolePolicy
      • iam:UpdateUser
  2. To identify the IAM Manager role:
    • Within Show Policy window, search for the following set of Actions with an Allow effect:
      • iam:AddUserToGroup
      • iam:AttachGroupPolicy
      • iam:DeleteGroupPolicy
      • iam:DeleteUserPolicy
      • iam:DetachGroupPolicy
      • iam:DetachRolePolicy
      • iam:DetachUserPolicy
      • iam:PutGroupPolicy
      • iam:PutUserPolicy
      • iam:RemoveUserFromGroup
      • iam:UpdateGroup
      • iam:UpdateAssumeRolePolicy
      • iam:UpdateUser
      • iam:GetPolicy
      • iam:GetPolicyVersion
      • iam:GetRole
      • iam:GetRolePolicy
      • iam:GetUser
      • iam:GetUserPolicy
      • iam:ListEntitiesForPolicy
      • iam:ListGroupPolicies
      • iam:ListGroups
      • iam:ListGroupsForUser
      • iam:ListPolicies
      • iam:ListPoliciesGrantingServiceAccess
      • iam:ListPolicyVersions
      • iam:ListRolePolicies
      • iam:ListAttachedGroupPolicies
      • iam:ListAttachedRolePolicies
      • iam:ListAttachedUserPolicies
      • iam:ListRoles
      • iam:ListUsers
    • And for the following set of Actions with a Deny effect:
      • iam:AddUserToGroup
      • iam:AttachRolePolicy
      • iam:CreateGroup
      • iam:CreatePolicy
      • iam:CreatePolicyVersion
      • iam:CreateRole
      • iam:CreateUser
      • iam:DeleteGroup
      • iam:DeletePolicy
      • iam:DeletePolicyVersion
      • iam:DeleteRole
      • iam:DeleteRolePolicy
      • iam:DeleteUser
      • iam:PutRolePolicy

08 Assuming that the specified set of Actions for the IAM Master role or IAM Manager has been identified at the previous step, to confirm that one of the roles exists within the current AWS account, you need to verify the Trusted Entities policy for the role positively identified at the previous step in order to confirm that it can be assumable by at least one IAM user or IAM group. To finish the identification process by analyzing the selected the Trusted Entities policy, run again get-role command (OSX/Linux/UNIX) using the role name as identifier to describe the Trusted Entities policy attached to the selected IAM role:

aws iam get-role
	--role-name iam-allaccess
	--query 'Role.AssumeRolePolicyDocument'

09 The command output should return the requested Trusted Entities policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": "iam.amazonaws.com"
            }
        }
    ]
}

Identify the Principal element within the policy returned at the previous step, element which should indicate the service, the user and/or the group that is able to assume the selected role (if any). To match the rule criteria, make sure that no existing user or group is currently able to assume both IAM Master and IAM Manager roles.

10 If the conditions outlined at steps no. 7 – 9 were not met, the selected AWS IAM role does not qualify for the role of IAM Master or IAM Manager.

11 Repeat steps no. 3 – 10 to verify other existing Amazon IAM roles in order to identify the IAM Master or IAM Manager role necessary within the two-person configuration outlined in the current conformity rule.

Remediation / Resolution

To create the IAM Master and IAM Manager roles necessary for an efficient IAM administration and permission management within your AWS account, perform the following:

Note: Creating and configuring IAM Master and IAM Manager roles using AWS Management Console is not currently supported.

Using AWS CLI

01 First you need to define the main policy for both IAM Master and IAM Manager roles. To define the required policy, perform the following actions:

  1. To create the main policy for the AWS IAM Master role, paste the following data into a new JSON-based policy document named iam-master-policy.json:
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
    			"iam:CreateGroup",
    			"iam:CreatePolicy",
    			"iam:CreatePolicyVersion",
    			"iam:CreateRole",
    			"iam:CreateUser",
    			"iam:DeleteGroup",
    			"iam:DeletePolicy",
    			"iam:DeletePolicyVersion",
    			"iam:DeleteRole",
    			"iam:DeleteRolePolicy",
    			"iam:DeleteUser",
    			"iam:PutRolePolicy",
    			"iam:GetPolicy",
    			"iam:GetPolicyVersion",
    			"iam:GetRole",
    			"iam:GetRolePolicy",
    			"iam:GetUser",
    			"iam:GetUserPolicy",
    			"iam:ListEntitiesForPolicy",
    			"iam:ListGroupPolicies",
    			"iam:ListGroups",
    			"iam:ListGroupsForUser",
    			"iam:ListPolicies",
    			"iam:ListPoliciesGrantingServiceAccess",
    			"iam:ListPolicyVersions",
    			"iam:ListRolePolicies",
    			"iam:ListAttachedGroupPolicies",
    			"iam:ListAttachedRolePolicies",
    			"iam:ListAttachedUserPolicies",
    			"iam:ListRoles",
    			"iam:ListUsers"
          ],
          "Condition": {
            "Bool": {
              "aws:MultiFactorAuthPresent": "true"
            }
          },
          "Resource": [
            "*"
          ]
        },
        {
          "Effect": "Deny",
          "Action": [
    			"iam:AddUserToGroup",
    			"iam:AttachGroupPolicy",
    			"iam:DeleteGroupPolicy",
    			"iam:DeleteUserPolicy",
    			"iam:DetachGroupPolicy",
    			"iam:DetachRolePolicy",
    			"iam:DetachUserPolicy",
    			"iam:PutGroupPolicy",
    			"iam:PutUserPolicy",
    			"iam:RemoveUserFromGroup",
    			"iam:UpdateGroup",
    			"iam:UpdateAssumeRolePolicy",
    			"iam:UpdateUser"
          ],
          "Resource": [
            "*"
          ]
        }
      ]
    }
    
  2. To create the main policy for the second role, i.e. IAM Manager, paste the following data into a new JSON-based policy document named iam-manager-policy.json:
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "iam:AddUserToGroup",
                    "iam:AttachGroupPolicy",
                    "iam:DeleteGroupPolicy",
                    "iam:DeleteUserPolicy",
                    "iam:DetachGroupPolicy",
                    "iam:DetachRolePolicy",
                    "iam:DetachUserPolicy",
                    "iam:PutGroupPolicy",
                    "iam:PutUserPolicy",
                    "iam:RemoveUserFromGroup",
                    "iam:UpdateGroup",
                    "iam:UpdateAssumeRolePolicy",
                    "iam:UpdateUser",
                    "iam:GetPolicy",
                    "iam:GetPolicyVersion",
                    "iam:GetRole",
                    "iam:GetRolePolicy",
                    "iam:GetUser",
                    "iam:GetUserPolicy",
                    "iam:ListEntitiesForPolicy",
                    "iam:ListGroupPolicies",
                    "iam:ListGroups",
                    "iam:ListGroupsForUser",
                    "iam:ListPolicies",
                    "iam:ListPoliciesGrantingServiceAccess",
                    "iam:ListPolicyVersions",
                    "iam:ListRolePolicies",
                    "iam:ListAttachedGroupPolicies",
                    "iam:ListAttachedRolePolicies",
                    "iam:ListAttachedUserPolicies",
                    "iam:ListRoles",
                    "iam:ListUsers"
                ],
                "Condition": {
                    "Bool": {
                        "aws:MultiFactorAuthPresent": "true"
                    }
                },
                "Resource": [
                    "*"
                ]
            },
            {
                "Effect": "Deny",
                "Action": [
                    "iam:CreateGroup",
                    "iam:CreatePolicy",
                    "iam:CreatePolicyVersion",
                    "iam:CreateRole",
                    "iam:CreateUser",
                    "iam:DeleteGroup",
                    "iam:DeletePolicy",
                    "iam:DeletePolicyVersion",
                    "iam:DeleteRole",
                    "iam:DeleteRolePolicy",
                    "iam:DeleteUser",
                    "iam:PutRolePolicy"
                ],
                "Resource": [
                    "*"
                ]
            }
        ]
    }
    

02 Now create the necessary trust relationship (Trusted Entities) policy for the IAM roles. To define the required policy, perform the following actions:

  1. To create the trust relationship policy for the IAM Master role, paste the following information into a new policy document named iam-master-trust-policy.json then replace the aws_account_number with your AWS account number:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::aws_account_number:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

02 To create the trust relationship policy for the IAM Manager role, paste the following information into a new policy document named iam-manager-trust-policy.json and replace the aws_account_number with your AWS account number::

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::aws_account_number:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

03 Run create-role command (OSX/Linux/UNIX) to create the IAM Master role using the trust relationship policy defined at the previous step (i.e. iam-master-trust-policy.json):

aws iam create-role
	--role-name IAM-Master-Role
	--assume-role-policy-document file://iam-master-trust-policy.json

04 The command output should return the new IAM role metadata, e.g:

{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": "arn:aws:iam::123456789012:root"
                    }
                }
            ]
        },
        "RoleId": "DY0AID6IB715FTI6AMIPM",
        "CreateDate": "2017-05-04T09:06:39.840Z",
        "RoleName": "IAM-Master-Role",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:role/IAM-Master-Role"
    }
}

05 Run put-role-policy command (OSX/Linux/UNIX) to attach the main inline policy defined at step no. 1.a. (the command does not produce an output):

aws iam put-role-policy
	--role-name IAM-Master-Role
	--policy-name IAM-Master-Role-Policy
	--policy-document file://iam-master-policy.json

06 Run again create-role command (OSX/Linux/UNIX) to create the second role, i.e. IAM Manager role, using the trust relationship policy defined at step no. 2 (i.e. iam-manager-trust-policy.json):

aws iam create-role
	--role-name IAM-Manager-Role
	--assume-role-policy-document file://iam-manager-trust-policy.json

07 The command output should return the IAM Manager role metadata:

{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": "arn:aws:iam::123456789012:root"
                    }
                }
            ]
        },
        "RoleId": "AGDAJU5Q35UZFO6X7Y5PS",
        "CreateDate": "2017-05-04T09:34:05.840Z",
        "RoleName": "IAM-Manager-Role",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:role/IAM-Manager-Role"
    }
}

08 Run put-role-policy command (OSX/Linux/UNIX) to attach the main inline policy defined at step no. 1.b. to the new AWS IAM Manager role (the command does not return an output):

aws iam put-role-policy
	--role-name IAM-Manager-Role
	--policy-name IAM-Manager-Role-Policy
	--policy-document file://iam-manager-policy.json

09 Each of these roles needs to be assumable by a different IAM group in order to work together in a two-person rule manner to provide other IAM users and roles access to the right permissions. To create the necessary groups that will assume the IAM Master and IAM Manager roles, perform the following:

  1. For the group that will assume the IAM Master role:
    • Run create-group command (OSX/Linux/UNIX) to create a new IAM group, assumable by the IAM Master role:
      aws iam create-group
      	--group-name IAM-Masters
      
    • The command output should return the new IAM group metadata, e.g:
      {
          "Group": {
              "Path": "/",
              "CreateDate": "2017-05-04T09:56:55.626Z",
              "GroupId": "DYZAIRLJOAYHSB3M2CPEY",
              "Arn": "arn:aws:iam::123456789012:group/IAM-Masters",
              "GroupName": "IAM-Masters"
          }
      }
      
    • Define the trust relationship policy for the new IAM group using the ARN of the IAM Master role returned at step no. 4 as the value for the Resource element and save it within a policy document named iam-master-group-trust-policy.json:
      {
      	"Version": "2012-10-17",
      	"Statement": {
      		"Effect": "Allow",
      		"Action": "sts:AssumeRole",
      		"Resource": "arn:aws:iam::123456789012:role/IAM-Master-Role"
      	}
      }
      
    • Run put-group-policy command (OSX/Linux/UNIX) to assign the trust relationship policy created at the previous step to the newly created IAM group, i.e. IAM-Masters (the command does not produce an output):
      aws iam put-group-policy
      	--group-name IAM-Masters
      	--policy-name IAM-Masters-Group-Trust-Policy
      	--policy-document file://iam-master-group-trust-policy.json
      
    • Each user added to the group will also assume the IAM Master role.
  2. For the group that will assume the IAM Manager role:
    • Run create-group command (OSX/Linux/UNIX) to create a new IAM group, assumable by the IAM Manager role:
      aws iam create-group
      	--group-name IAM-Managers
      
    • The command output should return the new IAM group metadata, e.g:
      {
          "Group": {
              "Path": "/",
              "CreateDate": "2017-05-04T09:59:31.626Z",
              "GroupId": "AGUDIRLJOAYHSB3M2CPTS",
              "Arn": "arn:aws:iam::123456789012:group/IAM-Managers",
              "GroupName": "IAM-Managers"
          }
      }
      
    • Define the trust relationship policy for the new IAM group using the ARN of the IAM Manager role returned at step no. 7 as the value for the Resource element and save it within a policy document named iam-manager-group-trust-policy.json:
      {
      	"Version": "2012-10-17",
      	"Statement": {
      		"Effect": "Allow",
      		"Action": "sts:AssumeRole",
      		"Resource": "arn:aws:iam::123456789012:role/IAM-Manager-Role"
      	}
      }
      
    • Run put-group-policy command (OSX/Linux/UNIX) to assign the trust relationship policy created at the previous step to the newly created IAM group, i.e. IAM-Managers (the command does not produce an output):
      aws iam put-group-policy
      	--group-name IAM-Managers
      	--policy-name IAM-Managers-Group-Trust-Policy
      	--policy-document file://iam-managers-group-trust-policy.json
      
    • From now on, each user added to the group will also assume the IAM Manager role.

References

Publication date May 7, 2017