IAM Policies With Full Administrative Privileges

Risk level: High (not acceptable risk)

Rule ID: IAM-045

Ensure there are no Amazon IAM policies (customer managed) that allow full administrative privileges available in your AWS account, in order to promote the principle of least privilege and provide the users, groups and roles that use these policies the minimal amount of access required to perform their tasks. An IAM policy that allows full administrative permissions (i.e. access to all AWS actions and resources) is a policy that contains a statement with "Effect": "Allow" for "Action": "*" over "Resource": "*", i.e. "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ].

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Providing full administrative privileges instead of restricting to the minimum set of permissions can expose your AWS resources to potentially unwanted actions. Cloud Conformity strongly recommends creating and using IAM policies that implement the principle of least privilege (i.e. providing the minimal set of actions required to perform successfully the desired tasks) instead of using overly permissive policies.

Audit

To determine if there are any IAM customer managed policies that allow full administrative privileges, available in your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Policies.

04 From the Filter dropdown menu, select Customer managed to list only the customer managed policies available.

05 Click on the name (link) of the IAM policy that you want to examine.

06 Select Permissions tab and click {} JSON button to access the selected policy document in JSON format.

07 Inside the policy document box, search for statements with the following combination of elements: "Effect": "Allow", "Action": "*", "Resource": "*". If the verified policy utilizes the specified combination, i.e.

the selected IAM customer managed policy allows full administrative privileges, therefore the policy does not follow security best practices and should be deactivated (detached from any IAM users, group or roles).

08 Repeat steps no. 5 – 7 to determine if other IAM customer managed policies, created within your AWS account, provide full administrative privileges.

Using AWS CLI

01 Run list-policies command (OSX/Linux/UNIX) to list the ARNs of all IAM customer managed policies available in your AWS account:

aws iam list-policies
	--scope Local
	--query 'Policies[*].Arn'

02 The command output should return the requested ARNs:

[
    "arn:aws:iam::123456789012:policy/cc-full-access-policy",
    "arn:aws:iam::123456789012:policy/cc-deploy-app-policy",
]

03 Run get-policy-version command (OSX/Linux/UNIX) using the ARN of the IAM policy that you want to examine as identifier, to retrieve the policy document in JSON format:

aws iam get-policy-version
	--policy-arn arn:aws:iam::123456789012:policy/cc-full-access-policy
	--version-id v1
	--query 'PolicyVersion.Document'

04 The command output should return the requested IAM policy document:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "1234567890",
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

Search for the following combination of elements: "Effect": "Allow", "Action": "*", "Resource": "*" within the JSON document returned by the get-policy-version command output. If the verified policy uses the specified combination, the selected AWS IAM customer managed policy allows full administrative privileges, therefore the policy is not compliant.

05 Repeat step no. 3 and 4 to determine if other IAM customer managed policies, currently available in your AWS account, allow full administrative privileges.

Remediation / Resolution

To detach AWS IAM managed policies that provide full administrative privileges from IAM users, groups and roles, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users, Roles or Groups, depending on the IAM entity that you need to select.

04 Click on the name (link) of the IAM user/group/role that you want to reconfigure.

05 Select Permissions tab and choose the customer managed policy that you want to detach (see Audit section part I to identify the right resource). An AWS IAM customer managed policy has the Policy type set to Managed policy.

06 Click the x button to detach the overly permissive policy from the selected AWS IAM entity.

07 Within Detach policy dialog box, review the policy attachment details, then click Detach to disengage the policy from the selected user/group/role.

08 Repeat step no. 6 and 7 to detach other managed policies that allow full administrative privileges from the selected AWS IAM entity.

09 Repeat steps no. 3 – 8 to deactivate overly permissive policies for other IAM entities created within your AWS account.

Using AWS CLI

01 Based on the type of the Amazon IAM entity (user, group or role) that you want to reconfigure, perform one of the following commands:

For AWS IAM users:
- Run detach-user-policy command (OSX/Linux/UNIX) to detach the selected customer managed policy (see Audit section part II to identity the right resource) from the specified IAM user (the command does not produce an output):
```
aws iam detach-user-policy
	--user-name ResourceManager
	--policy-arn arn:aws:iam::123456789012:policy/cc-full-access-policy
```
For AWS IAM roles:
- Run detach-role-policy command (OSX/Linux/UNIX) to detach the selected managed policy (see Audit section part II to identity the right policy) from the specified IAM role (the command does not return an output):
```
aws iam detach-role-policy
	--role-name AWSMgmntRole
	--policy-arn arn:aws:iam::123456789012:policy/cc-full-access-policy
```
For Amazon IAM groups:
- Run detach-group-policy command (OSX/Linux/UNIX) to detach the selected customer managed policy (see Audit section part II to identity the right IAM resource) from the specified IAM group (the command does not return an output):
```
aws iam detach-group-policy
	--group-name ResourceManagers
	--policy-arn arn:aws:iam::123456789012:policy/cc-full-access-policy
```

02 Repeat step no. 1 to deactivate overly permissive policies for other IAM entities created within your AWS account.

References

AWS Command Line Interface (CLI) Documentation
iam
list-policies
get-policy-version
get-user-policy
get-role-policy
get-group-policy
detach-user-policy
detach-role-policy
detach-group-policy
delete-user-policy
delete-role-policy
delete-group-policy

Publication date Dec 6, 2017

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

IAM Policies With Full Administrative Privileges

Risk level: High

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related IAM rules