IAM Group with Administrator Privileges In Use

Risk level: Medium (should be achieved)

Ensure there is an IAM group that has the types of permissions that administrators typically need, available within your AWS account. Prior to running this rule by the Cloud Conformity engine, the name of the admin group must be specified in the rule settings, on your Cloud Conformity account dashboard.

Security

An IAM group is a collection of IAM users that you can use to make the access permissions easier to manage for the assigned users. An IAM group that provides administrator-level permissions is a group that has attached an IAM policy with the following statement: "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ]. When an IAM user gets assigned to an admin group, the IAM identity receives automatically the group privileges which grants him the authorization to provision, configure or remove any AWS resource and use any AWS service available. The IAM admin group will allow you to add or remove IAM users that require administrative privileges to your AWS resources.

Audit

To determine if there is an IAM group that provides administrative privileges available in your AWS account, perform the following:

Using AWS Console

01 Sign in to your Cloud Conformity console, access IAM Group with Administrator Privileges In Use conformity rule settings and copy the name of the admin group configured for your AWS account.

02 Sign in to the AWS Management Console.

03 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

04 In the left navigation panel, choose Groups.

05 Paste the name of the IAM group copied at step no. 1 inside the Filter box and press Enter. If the filtering process does not return any IAM groups, there is no admin group created within your AWS account and the audit process ends here. If the filtering process returns an IAM group as result, the audit process continues with the next step.

06 Click on the name (link) of the IAM group that you want to examine.

07 Select Permissions tab, choose the IAM policy that you want to verify and within the Actions column click Show Policy to open the selected IAM policy document in JSON format.

08 Inside Show Policy dialog box, search for the statement with the following combination of elements: "Effect": "Allow", "Action": "*", "Resource": "*", i.e.

09 Repeat step no. 7 and 8 to check other IAM policies, attached to the selected group, for statements that allow administrative privileges. If the group does not have an access policy with the specified combination, the selected AWS IAM group does not provide administrative privileges, therefore there is no IAM admin group created for administration purposes available in your AWS account.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access IAM Group with Administrator Privileges In Use conformity rule settings and copy the name of the IAM admin group created for your AWS account.

02 Run list-groups command (OSX/Linux/UNIX) using the name of the IAM group copied at the previous step as input parameter for custom query filters to list the admin group metadata. Replace <ADMIN_GROUP_NAME> with the name of the IAM group configured in the conformity rule settings:

aws iam list-groups
	--query "Groups[?GroupName == '<ADMIN_GROUP_NAME>']"

03 The command request should return one of the following outputs:

If the list-groups command output returns an empty array (i.e. []), as shown in the example below, there is no IAM admin group created within your AWS account and the audit process ends here.
```
[]
```

If the command output returns the specified IAM group metadata, as shown in the example below, the audit process continues with the next step:

[
    {
        "Path": "/",
        "CreateDate": "2017-03-23T11:29:44Z",
        "GroupId": "AAAABBBBCCCCDDDDEEEEF",
        "Arn": "arn:aws:iam::123456789012:group/<ADMIN_GROUP_NAME>",
        "GroupName": "<ADMIN_GROUP_NAME>"
    }
]

04 Run list-attached-group-policies command (OSX/Linux/UNIX) using the name of the IAM group that you want to examine as identifier, to list the ARN of the access policy attached to the selected group:

aws iam list-attached-group-policies
	--group-name <ADMIN_GROUP_NAME>
	--query "AttachedPolicies[*].PolicyArn"

05 The command output should return the requested Amazon Resource Name (ARN):

[
    "arn:aws:iam::123456789012:policy/iam-group-access-policy"
]

06 Run get-policy-version command (OSX/Linux/UNIX) using the policy ARN returned at the previous step as identifier, to describe the attached IAM policy document in JSON format:

aws iam get-policy-version
	--policy-arn arn:aws:iam::123456789012:policy/iam-group-access-policy
	--version-id v1
	--query 'PolicyVersion.Document'

07 The command output should return the requested IAM policy document:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": "*"
        }
    ]
}

Search for the following combination of elements: "Effect": "Allow", "Action": "*", "Resource": "*" within the JSON document returned by the get-policy-version command output. If the IAM group policy does not contain the specified combination, the selected AWS IAM group does not provide administrative privileges, therefore there is no IAM admin group created for administration purposes created in your AWS account.

Remediation / Resolution

To create an Amazon IAM group that provides administrative permissions to the IAM users assigned to the group, required for administration purposes, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Policies.

04 Click the Create button from the dashboard top menu to start creating the required IAM policy.

05 On the Create policy page, select JSON tab and paste the following policy document:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

06 Click Review policy to name the new access policy and review its permissions set before saving it.

07 On the Review policy panel, provide a name for the new IAM policy in the Name box and a description in the Description box.

08 Once the IAM policy is named and reviewed, click Create policy to save the changes.

09 In the left navigation panel, choose Groups.

10 Click Create New Group button from the dashboard top menu to initiate the group setup wizard.

11 On Set Group Name page, specify a name for your new IAM group inside the Group Name box. Click Next Step to continue.

12 On Attach policy page, choose Customer managed option from the Filter dropdown list and select the IAM policy created earlier. Click Next Step to continue the process.

13 On Review page, check and review the new IAM group configuration details then click Create Group to save the changes and create the admin group.

Using AWS CLI

01 Define the IAM policy that should allow the IAM users assigned to the group, access to all AWS services. Save the following access policy to a JSON document named iam-admin-group-policy.json:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "admin-level-access",
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

02 Run create-policy command (OSX/Linux/UNIX) using the policy document listed at the previous step, to create the IAM policy that will be attached to your IAM admin group:

aws iam create-policy
	--policy-name iam-admin-access-policy
	--policy-document file://iam-admin-group-policy.json

03 The command output should return the metadata for the new IAM access policy:

{
    "Policy": {
        "PolicyName": "iam-admin-access-policy",
        "CreateDate": "2018-03-23T15:32:45Z",
        "AttachmentCount": 0,
        "IsAttachable": true,
        "PolicyId": "AAAABBBBCCCCDDDDEEEEF",
        "DefaultVersionId": "v1",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:policy/iam-admin-access-policy",
        "UpdateDate": "2018-03-23T15:52:45Z"
    }
}

04 Run create-group command (OSX/Linux/UNIX) to create your IAM admin group. Replace <ADMIN_GROUP_NAME> with your own IAM admin group name:

aws iam create-group --group-name <ADMIN_GROUP_NAME>

05 The command output should return the metadata for the new IAM group:

[
    {
        "Path": "/",
        "CreateDate": "2017-09-11T13:24:44Z",
        "GroupId": "AAAABBBBCCCCDDDDEEEEF",
        "Arn": "arn:aws:iam::123456789012:group/",
        "GroupName": ""
    }
]

06 Run attach-group-policy command (OSX/Linux/UNIX) to attach the IAM access policy created earlier to your new IAM admin group (the command does not produce an output):

aws iam attach-group-policy
	--policy-arn arn:aws:iam::123456789012:policy/iam-admin-access-policy
	--group-name <ADMIN_GROUP_NAME>

References

AWS Command Line Interface (CLI) Documentation
iam
list-groups
list-attached-group-policies
get-policy-version
create-policy
create-group
attach-group-policy

Publication date Apr 1, 2018

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

IAM Group with Administrator Privileges In Use

Risk level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related IAM rules