Ensure there are no Amazon IAM policies (customer managed) that allow full administrative privileges available in your AWS account, in order to promote the principle of least privilege and provide the users, groups and roles that use these policies the minimal amount of access required to perform their tasks. An IAM policy that allows full administrative permissions (i.e. access to all AWS actions and resources) is a policy that contains a statement with "Effect": "Allow" for "Action": "*" over "Resource": "*", i.e. "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ].
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Providing full administrative privileges instead of restricting to the minimum set of permissions can expose your AWS resources to potentially unwanted actions. Cloud Conformity strongly recommends creating and using IAM policies that implement the principle of least privilege (i.e. providing the minimal set of actions required to perform successfully the desired tasks) instead of using overly permissive policies.
Audit
To determine if there are any IAM customer managed policies that allow full administrative privileges, available in your AWS account, perform the following:
Remediation / Resolution
To detach AWS IAM managed policies that provide full administrative privileges from IAM users, groups and roles, perform the following actions:
References
- AWS Documentation
- AWS IAM FAQs
- IAM Best Practices
- Managed Policies and Inline Policies
- IAM JSON Policy Reference
- AWS Command Line Interface (CLI) Documentation
- iam
- list-policies
- get-policy-version
- get-user-policy
- get-role-policy
- get-group-policy
- detach-user-policy
- detach-role-policy
- detach-group-policy
- delete-user-policy
- delete-role-policy
- delete-group-policy
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
IAM Policies With Full Administrative Privileges
Risk level: High