Identify any Amazon IAM users that are not authorized to edit IAM policies and decommission them in order to protect against unapproved access. Prior to running this conformity rule by the Cloud Conformity engine you need to specify the identifiers of all IAM users authorized to edit IAM policies within your AWS account, represented by a list of valid IAM user ARNs (e.g. arn:aws:iam::123456789012:user/username). If not specified, any IAM user with permission to edit IAM access policies would be highlighted as risk.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Allowing illegitimate AWS IAM users to edit access policies can lead to serious (intentional or unintentional) security breaches. To prevent any unauthorized requests made to edit IAM access policies within your AWS account, restrict access only to trusted IAM users.
To identify any unauthorized IAM users that have the permission to edit IAM access policies, perform the following actions:
To decommission any unauthorized IAM users that have the permission to edit IAM access policies within your AWS account, perform the following: