Logo of Trend Micro

Deprecated AWS Managed Policies In Use

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

Ensure that deprecated AWS IAM managed policies are replaced with new ones, approved by AWS, in order to avoid any potential security risks associated with the deprecated policies. A managed policy marked as deprecated continues to work for all currently attached IAM users, groups and roles, however, it cannot be attached to any new users, groups or roles and if you detach it from the current IAM entity, you cannot reattach it. Cloud Conformity keeps an up-to-date list of all deprecated AWS IAM managed policies to help you with mitigation.

Security

Continuing to use the deprecated AWS managed policy can carry risks that are mitigated only by switching to the replacement policy. If an IAM user, group or role within your AWS account still requires the deprecated managed policy, follow the steps outlined in Remediation/Resolution section to attach the replacement policy instead.

Note: As example, this conformity rule demonstrates how to identify and replace "AmazonElasticTranscoderFullAccess" deprecated policy with a replacement managed policy named "AmazonElasticTranscoder_FullAccess". "AmazonElasticTranscoderFullAccess" managed policy has been marked as deprecated because the policy is potentially granting admin access to self or any other IAM roles, failing to follow the principle of least privilege.

Audit

To determine if there are any deprecated IAM managed policies in use within your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Policies.

04 From the Filter policies dropdown menu, in the POLICY TYPE section, select AWS managed option to list only the AWS IAM managed policies available.

05 Scroll down and check the policies list for deprecated AWS managed policies. A deprecated AWS managed policy appears with a warning icon next to it.

06 Click on the name (link) of the managed policy marked as deprecated (in this case AmazonElasticTranscoderFullAccess policy).

07 On the selected policy Summary page, a warning message that highlights the issue should be displayed:

Summary page

08 Select Policy usage tab and verify the Permissions panel to check for IAM entities (i.e. users, roles, groups) associated with the deprecated policy. If the policy is attached to any IAM entities, the selected deprecated AWS managed policy is currently in use and it should be replaced with a new one.

09 Repeat steps no. 3 – 8 to determine if there are other deprecated IAM managed policies available within your AWS account.

Using AWS CLI

01 Run list-policies command (OSX/Linux/UNIX) to list the names of all AWS managed policies attached to IAM entities such as IAM users, groups or roles, available in your AWS account: 

aws iam list-policies
	--scope AWS
	--only-attached
	--output table
	--query 'Policies[*].PolicyName'

02 The command output should return a table with the requested policy names: 

----------------------------------------------
|                ListPolicies                |
+--------------------------------------------+
|  AmazonElasticTranscoderFullAccess         |
|  AWSElasticLoadBalancingServiceRolePolicy  |
|  AWSSupportServiceRolePolicy               |
|  AWSTrustedAdvisorServiceRolePolicy        |
+--------------------------------------------+

If the policies list returned by the list-policies command output contains the policy name AmazonElasticTranscoderFullAccess, the deprecated AWS managed policy identified by the name AmazonElasticTranscoderFullAccess is currently in use in your AWS account and it should be replaced with a new one, approved by AWS.

03 If applicable, repeat step no. 2 to determine if there are other deprecated IAM managed policies available in your AWS account.

Remediation / Resolution

To change the deprecated AWS managed policies with their replacement policies within IAM entities configuration, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Policies.

04 From the Filter policies dropdown menu, in the POLICY TYPE section, select AWS managed option to list only the AWS IAM managed policies available.

05 Find the deprecated AWS managed policy (see Audit section part I to identity the right IAM resource), then click on its name to access the policy configuration.

06 Select the Policy usage tab and copy the names of the IAM entities listed in the Permissions section. Once their names are copied, select the IAM entities associated with the deprecated policy and detach them from the selected policy (i.e. "AmazonElasticTranscoderFullAccess") using the Detach button.

07 In the left navigation panel, choose Policies.

08 In the Search box, paste the name of the replacement AWS managed policy then press Enter. In our case the replacement policy name is AmazonElasticTranscoder_FullAccess.

09 Click on the name of the returned managed policy to access its configuration.

10 Select the Policy usage tab and click the Attach button within the Permissions section to attach the selected policy to the necessary IAM entities.

11 On the Attach policy page, paste the name of the IAM entity copied at step no. 6 in the Search box, select the entity, then click Attach policy button to attach it to the managed policy. If successful, the AWS console will display the following message: "One entity was attached to the AmazonElasticTranscoder_FullAccess policy." Repeat this step for all IAM entities (users, groups or roles) listed at step no. 6.

12 Repeat steps no. 3 – 11 to replace other deprecated AWS managed policies with new (replacement) policies, available in your AWS account.

Using AWS CLI

01 To replace a deprecated AWS managed policy (e.g. "AmazonElasticTranscoderFullAccess" policy), you need to detach it first from the associated IAM entities. Based on the type of the Amazon IAM entity (user, group or role) that you want to reconfigure, perform one of the following commands:

  1. For AWS IAM users:
    • Run detach-user-policy command (OSX/Linux/UNIX) to detach the specified deprecated AWS managed policy from the selected IAM user (see Audit section part II to identity the right IAM user). The command does not return an output: 
      aws iam detach-user-policy
	--user-name cc-transcoder-user
	--policy-arn arn:aws:iam::aws:policy/AmazonElasticTranscoderFullAccess
  2. For AWS IAM roles:
    • Run detach-role-policy command (OSX/Linux/UNIX) to detach the deprecated AWS managed policy (e.g. "AmazonElasticTranscoderFullAccess") from the selected IAM role (see Audit section part II to identity the right IAM role). The command does not produce an output: 
      aws iam detach-role-policy
	--role-name cc-elastic-transcoder-role
	--policy-arn arn:aws:iam::aws:policy/AmazonElasticTranscoderFullAccess
  3. For Amazon IAM groups:
    • Run detach-group-policy command (OSX/Linux/UNIX) to detach the specified deprecated AWS managed policy from the selected IAM group (see Audit section part II to identity the right IAM group). The command does not return an output: 
      aws iam detach-group-policy
	--group-name cc-etr-group
	--policy-arn arn:aws:iam::aws:policy/AmazonElasticTranscoderFullAccess

02 Attach the replacement AWS managed policy (in this case "AmazonElasticTranscoder_FullAccess") to the same IAM entities, configured at the previous step. Based on the type of the IAM entity (user, group or role) that you want to reconfigure, execute one of the following commands:

  1. For AWS IAM users:
    • Run attach-user-policy command (OSX/Linux/UNIX) to attach the replacement AWS managed policy to the selected IAM user (see Audit section part II to identity the right IAM user). The command does not return an output: 
      aws iam attach-user-policy
	--user-name cc-transcoder-user
	--policy-arn arn:aws:iam::aws:policy/AmazonElasticTranscoderFullAccess
  2. For AWS IAM roles:
    • Run attach-role-policy command (OSX/Linux/UNIX) to attach the replacement AWS managed policy (e.g. "AmazonElasticTranscoder_FullAccess") to the selected IAM role (see Audit section part II to identity the right IAM role). The command does not produce an output: 
      aws iam attach-role-policy
	--role-name cc-elastic-transcoder-role
	--policy-arn arn:aws:iam::aws:policy/AmazonElasticTranscoderFullAccess
  3. For Amazon IAM groups:
    • Run attach-group-policy command (OSX/Linux/UNIX) to attach the specified replacement AWS managed policy to the selected IAM group (see Audit section part II to identity the right IAM group). The command does not return an output: 
      aws iam attach-group-policy
	--group-name cc-etr-group
	--policy-arn arn:aws:iam::aws:policy/AmazonElasticTranscoderFullAccess

03 Repeat step no. 1 and 2 to replace other deprecated AWS managed policies with new and approved policies, available within your AWS account.

References

Publication date Aug 31, 2018

Related IAM rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Deprecated AWS Managed Policies In Use

Risk level: Medium