Check for Overly Permissive IAM Group Policies

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)

Ensure that both managed and inline policies attached to your Amazon Identity and Access Management (IAM) groups are not too permissive. To adhere to cloud security best practices, all the IAM policies configured for your AWS IAM groups should implement the Principle of Least Privilege (also known as the principle of least authority, i.e. the security concept of providing every identity, process, or system the minimal set of permissions required to perform successfully its tasks).

This rule can help you work with the AWS Well-Architected Framework

Security

Providing the right permissions for your Amazon IAM groups will significantly reduce the risk of unauthorized access to your AWS cloud services and resources and help you manage identity-based access more efficiently.


Audit

To determine if your Amazon IAM group policies (both managed and inline policies) are too permissive, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Groups.

04 Click on the name (link) of the IAM group that you want to examine.

05 On the Summary page, select the Permissions tab from the bottom panel to access the identity–based policies attached to the selected group.

06 Inside the Managed Policies and/or Inline Policies section(s), click on the Show Policy link to open the IAM policy that you want to examine.

07 In the Show Policy dialog box, perform the following actions:

  1. Identify the "Action" element defined for each statement, and check the element value. If the "Action" element value is set to "*", all the supported actions can be performed by the AWS cloud resource(s) defined within the policy statement, therefore the selected IAM policy is too permissive.
  2. Find the "Action" element defined for each statement, and check the element value. If the "Action" value is set to "iam:*", all Identity and Access Management (IAM) actions can be performed by the AWS resource(s) defined within the policy statement (i.e. full access to Amazon IAM service), therefore the selected IAM policy is too permissive.
  3. Identify the "Action" and "Resource" elements defined for each statement, and check their values. If the "Action" element value contains "iam:PassRole" and the "Resource" element value is set to "*", the policy grants permissions to pass any IAM roles to AWS services, hence the selected IAM policy is too permissive.
  4. The "NotAction" policy element used in combination with "Effect": "Allow" element block often provides more privileges than desired. Search for "NonAction" elements defined within the selected policy document. If the document contains one or more "NonAction" elements used in combination with "Effect": "Allow", the selected Amazon IAM policy is too permissive.

08 Repeat step no. 6 and 7 to verify permissions for other IAM policies attached to the selected IAM group.

09 Repeat steps no. 4 – 8 to perform the audit process for other Amazon IAM groups available in your AWS cloud account.

Using AWS CLI

01 Run list-groups command (OSX/Linux/UNIX) using custom query filters to list the names of all Amazon IAM groups available within your AWS account:

aws iam list-groups
	--output table
	--query 'Groups[*].GroupName'

02 The command output should return a table with the requested IAM group identifiers:

-----------------------------
|        ListGroups         |
+---------------------------+
|  cc-project5-user-group   |
|  cc-ec2-management-group  |
+---------------------------+

03 Run list-attached-group-policies command (OSX/Linux/UNIX) using the name of the Amazon IAM group that you want to examine as identifier parameter and custom query filters to list the Amazon Resource Name (ARN) of each managed policy attached to the selected IAM group:

aws iam list-attached-group-policies
	--group-name cc-project5-user-group
	--query 'AttachedPolicies[*].PolicyArn'

04 The command output should return the ARN of each managed policy attached to the selected group:

[
    "arn:aws:iam::123456789012:policy/cc-iam-managed-access-policy"
]

05 Run get-policy-version command (OSX/Linux/UNIX) using the ARN of the IAM managed policy that you want to examine as identifier parameter and custom query filters to describe the policy document (JSON format) defined for the selected policy version:

aws iam get-policy-version
	--policy-arn arn:aws:iam::123456789012:policy/cc-iam-managed-access-policy
	--version-id v1
	--query 'PolicyVersion.Document'

06 The command output should return the requested IAM policy document:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "*",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

07 Analyze get-policy-version command output and perform the following actions:

  1. Identify the "Action" element defined for each policy statement, and check the element value. If the "Action" element value is set to "*", all the supported actions can be performed by the AWS cloud resource(s) defined within the policy statement, therefore the selected Amazon IAM managed policy is too permissive.
  2. Find the "Action" element defined for each statement, and check the element value. If the "Action" value is set to "iam:*", all Identity and Access Management (IAM) actions can be performed by the AWS resource(s) defined within the policy statement (i.e. full access to Amazon IAM service), therefore the selected IAM managed policy is too permissive.
  3. Identify the "Action" and "Resource" elements defined for each statement, and check their values. If the "Action" element value contains "iam:PassRole" and the "Resource" element value is set to "*", the policy grants permissions to pass any IAM roles to AWS services, hence the selected IAM managed policy is too permissive.
  4. The "NotAction" policy element used in combination with "Effect": "Allow" block often provides more privileges than desired. Search for "NonAction" elements defined in the selected policy document. If the document contains one or more "NonAction" elements used in combination with "Effect": "Allow", the selected IAM managed policy is too permissive.

08 Repeat steps no. 5 – 7 to verify permissions for other managed policies attached to the selected IAM group.

09 Run list-group-policies command (OSX/Linux/UNIX) using the name of the Amazon IAM group that you want to examine as identifier parameter and custom query filters to describe the name of each inline policy attached to the selected IAM group:

aws iam list-group-policies
	--group-name cc-project5-user-group
	--query 'PolicyNames'

10 The command output should return the name of each inline policy attached to the selected group:

[
    "cc-project5-iam-group-policy"
]

11 Run get-group-policy command (OSX/Linux/UNIX) using the name of the IAM inline policy that you want to examine as identifier parameter and custom query filters to describe the policy document (JSON format) created for the selected inline policy:

aws iam get-group-policy
	--group-name cc-project5-user-group
	--policy-name cc-project5-iam-group-policy
	--query 'PolicyDocument'

12 The command output should return the requested inline policy document:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "*"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow",
            "Sid": "FullUserAccess"
        }
    ]
}

13 Perform the following actions for the get-group-policy command output:

  1. Identify the "Action" element defined for each policy statement, and check the element value. If the "Action" element value is set to "*", all the supported actions can be performed by the AWS cloud resource(s) defined within the policy statement, therefore the selected Amazon IAM inline policy is too permissive.
  2. Find the "Action" element defined for each statement, and check the element value. If the "Action" value is set to "iam:*", all Identity and Access Management (IAM) actions can be performed by the AWS resource(s) defined within the policy statement (i.e. full access to Amazon IAM service), therefore the selected IAM inline policy is too permissive.
  3. Identify the "Action" and "Resource" elements defined for each statement, and check their values. If the "Action" element value contains "iam:PassRole" and the "Resource" element value is set to "*", the policy grants permissions to pass any IAM roles to AWS services, hence the selected IAM inline policy is too permissive.
  4. The "NotAction" policy element used in combination with "Effect": "Allow" block often provides more privileges than desired. Search for "NonAction" elements defined within the selected policy document. If the document contains one or more "NonAction" elements used in combination with "Effect": "Allow", the selected IAM inline policy is too permissive.

14 Repeat steps no. 11 – 13 to check permissions for other inline policies embedded within the selected IAM group.

15 Repeat steps no. 3 – 14 to perform the entire audit process for other Amazon IAM groups created in your AWS cloud account.

Remediation / Resolution

To update your Amazon IAM group permissions through IAM policies in order to implement the Principle of Least Privilege (POLP), perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Groups.

04 Click on the name (link) of the IAM group that you want to reconfigure.

05 On the Summary page, select the Permissions tab from the bottom panel to access the identity–based policies attached to the selected group.

06 In the Managed Policies section, perform the following actions:

  1. Choose the overly permissive policy, and click on the Detach Policy link to detach the non-compliant IAM policy from the selected IAM group. Inside the Detach Policy confirmation box, choose Detach.
  2. Choose Attach Policy to attach Amazon IAM managed policies to the selected group. Select one or more IAM policies from the managed policies list based on your IAM group access requirements. Follow the Principle of Least Privilege (the security concept of providing every identity the minimal set of permissions required to perform successfully its tasks) when selecting the managed policies to attach to your IAM group. Choose Attach Policy to confirm your action.

07 Inside the Inline Policies section, perform the following actions:

  1. Choose the overly permissive policy, and click on the Edit Policy link to edit the inline policy embedded within the selected IAM group.
  2. On the Review Policy page, in the Policy Document section, customize the policy permissions according to your IAM group access requirements. Follow the Principle of Least Privilege (the security concept of providing every identity the minimal set of permissions required to perform successfully its tasks) when editing the inline policy associated with to your IAM group. For example, replace the "Action" element value "*" with specific Amazon EC2 service actions such as "ec2:DescribeInstances" and "ec2:DescribeImages" if you want your IAM group users to view your EC2 instances and AMIs. Or pass a specific, compliant IAM role to AWS services when "Action" is set to "iam:PassRole". Once the policy is updated with the appropriate permissions, choose Apply Policy to apply the changes.

08 Repeat step no. 6 and 7 to change permissions for other overly permissive IAM policies associated with the selected IAM group.

09 Repeat steps no. 4 – 8 to perform the remediation process for other Amazon IAM groups available in your AWS cloud account.

Using AWS CLI

01 Define the new identity–based policy that will replace the overly permissive policy associated with your Amazon IAM group, and save the policy document to a JSON file named cc-iam-policy-document.json. You can update the existing, overly permissive policies, with the appropriate permissions, or you can use the AWS Policy Generator available at https://awspolicygen.s3.amazonaws.com/policygen.html to build custom policies for your IAM groups. To adhere to cloud security best practices, the new IAM policy should implement the Principle of Least Privilege (POLP) and provide the users within the IAM group the minimal set of permissions required to perform successfully their tasks. For example, the following IAM policy grants permissions to the users within your IAM group to view resources and basic metadata across all supported AWS services. The users cannot read resource content or metadata that goes beyond the quota and list information for resources. This policy provides view-only access to your AWS cloud account and it is useful to consultants or contractors that need to examine your cloud environment without being able to read content or change anything:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "acm:ListCertificates",
                "athena:List*",
                "autoscaling:Describe*",
                "batch:ListJobs",
                "cloudformation:List*",
                "cloudformation:DescribeStacks",
                "cloudfront:List*",
                "cloudsearch:List*",
                "cloudsearch:DescribeDomains",
                "cloudtrail:DescribeTrails",
                "cloudtrail:LookupEvents",
                "cloudwatch:List*",
                "cloudwatch:Get*",
                "config:List*",
                "config:Describe*",
                "dynamodb:DescribeBackup",
                "dynamodb:DescribeContinuousBackups",
                "dynamodb:DescribeGlobalTable",
                "dynamodb:DescribeGlobalTableSettings",
                "dynamodb:DescribeLimits",
                "dynamodb:DescribeReservedCapacity",
                "dynamodb:DescribeReservedCapacityOfferings",
                "dynamodb:DescribeStream",
                "dynamodb:DescribeTable",
                "dynamodb:DescribeTimeToLive",
                "dynamodb:ListBackups",
                "dynamodb:ListGlobalTables",
                "dynamodb:ListStreams",
                "dynamodb:ListTables",
                "dynamodb:ListTagsOfResource",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeBundleTasks",
                "ec2:DescribeClassicLinkInstances",
                "ec2:DescribeConversionTasks",
                "ec2:DescribeCustomerGateways",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeExportTasks",
                "ec2:DescribeFlowLogs",
                "ec2:DescribeHost*",
                "ec2:DescribeIdentityIdFormat",
                "ec2:DescribeIdFormat",
                "ec2:DescribeImage*",
                "ec2:DescribeImport*",
                "ec2:DescribeInstance*",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeMovingAddresses",
                "ec2:DescribeNatGateways",
                "ec2:DescribeNetwork*",
                "ec2:DescribePlacementGroups",
                "ec2:DescribePrefixLists",
                "ec2:DescribeRegions",
                "ec2:DescribeReserved*",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSnapshot*",
                "ec2:DescribeSpot*",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVolume*",
                "ec2:DescribeVpc*",
                "ec2:DescribeVpnGateways",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecs:List*",
                "ecs:Describe*",
                "elasticache:Describe*",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticmapreduce:List*",
                "elastictranscoder:List*",
                "es:DescribeElasticsearchDomain",
                "es:DescribeElasticsearchDomains",
                "es:ListDomainNames",
                "events:ListRuleNamesByTarget",
                "events:ListRules",
                "events:ListTargetsByRule",
                "firehose:List*",
                "firehose:DescribeDeliveryStream",
                "gamelift:List*",
                "glacier:List*",
                "greengrass:List*",
                "iam:List*",
                "iam:GetAccountSummary",
                "iam:GetLoginProfile",
                "importexport:ListJobs",
                "inspector:List*",
                "iot:List*",
                "kinesis:ListStreams",
                "kinesisanalytics:ListApplications",
                "kms:ListKeys",
                "lambda:List*",
                "rds:Describe*",
                "redshift:DescribeClusters",
                "redshift:DescribeEvents",
                "redshift:ViewQueriesInConsole",
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "sagemaker:Describe*",
                "sagemaker:List*",
                "sdb:List*",
                "servicecatalog:List*",
                "ses:List*",
                "shield:List*",
                "states:ListActivities",
                "states:ListStateMachines",
                "sns:List*",
                "sqs:ListQueues",
                "ssm:ListAssociations",
                "ssm:ListDocuments",
                "swf:List*",
                "trustedadvisor:Describe*",
                "waf:List*",
                "waf-regional:List*",
                "wafv2:List*",
                "workdocs:DescribeAvailableDirectories",
                "workdocs:DescribeInstances",
                "workspaces:Describe*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

02 Depending on whether you need to update an Amazon IAM managed policy or an inline policy, execute one of the following commands:

  1. If the policy attached to your IAM group is a managed policy, run create-policy-version command (OSX/Linux/UNIX) using the identity–based policy document created at the previous step (i.e. cc-iam-policy-document.json) to create a new, compliant version of the attached IAM managed policy. The following command request example creates a new version (v2) of the IAM managed policy whose ARN is "arn:aws:iam::123456789012:policy/cc-iam-managed-access-policy" and makes it the default version:
    aws iam create-policy-version
    	--policy-arn arn:aws:iam::123456789012:policy/cc-iam-managed-access-policy
    	--policy-document file://cc-iam-policy-document.json
    	--set-as-default
    
  2. The command output should return the metadata of the new managed policy version:
    {
        "PolicyVersion": {
            "CreateDate": "2020-12-18T10:00:00Z",
            "VersionId": "v2",
            "IsDefaultVersion": true
        }
    }
    
  3. If the policy associated with your Amazon IAM group is an inline policy, run put-group-policy command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e. cc-iam-policy-document.json) to update the permissions of the selected IAM inline policy. The following command request example updates an IAM group inline policy named "cc-project5-iam-group-policy" (the command does not produce an output):
    aws iam put-group-policy
    	--group-name cc-project5-user-group
    	--policy-name cc-project5-iam-group-policy
    	--policy-document file://cc-iam-policy-document.json
    

03 Repeat step no. 1 and 2 to change permissions for other overly permissive IAM policies associated with the selected Amazon IAM group.

04 Repeat steps no. 1 – 3 to perform the entire remediation process for other IAM groups created within your AWS cloud account.

References

Publication date Dec 30, 2020

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Check for Overly Permissive IAM Group Policies

Risk level: High