Ensure that your Amazon IAM policies (inline and customer managed) do not use "Effect" : "Allow" in combination with "NotAction" element in order to follow security best practices and adhere to the principle of least privilege. "NotAction" is an advanced policy element that explicitly matches everything except the specified list of actions. Using NotAction with "Effect" : "Allow" can result in a shorter policy by listing only a few actions that should not match (e.g. "Statement": [ { "Effect": "Allow", "NotAction": "s3:DeleteBucket", "Resource": "arn:aws:s3:::*" } ]), but the inappropriately use of the combination can make the policy too permissive, leading eventually to unauthorized access.
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
From the security perspective, blacklisting to some degree (allowing everything with some exceptions) does not follow best practices and in case of IAM policies does not comply with the principle of least privilege (i.e. providing the minimal set of actions required to perform successfully the desired task(s)).
Audit
Case A: To determine if the customer managed policies created in your AWS account utilize "Effect" : "Allow" in combination with "NotAction", perform the following:
Audit
Case B: To determine if any inline policies created in your AWS account utilize "Effect" : "Allow" in combination with "NotAction", perform the following actions:
Remediation / Resolution
Case A: To update (redefine) your AWS IAM customer managed policies and remove "Effect" : "Allow" and "NotAction" combination of elements in order to follow security best practices, perform the following:
Case B: To redefine your AWS IAM inline policies and remove "Effect" : "Allow" and "NotAction" combination of elements in order to follow security best practices, perform the following actions:
References
- AWS Documentation
- AWS IAM FAQs
- IAM Best Practices
- IAM JSON Policy Reference
- IAM JSON Policy Evaluation Logic
- IAM JSON Policy Elements: NotAction
- IAM JSON Policy Evaluation Logic
- AWS Command Line Interface (CLI) Documentation
- iam
- list-policies
- get-policy-version
- get-user-policy
- get-role-policy
- get-group-policy
- create-policy-version
- put-user-policy
- put-role-policy
- put-group-policy
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
IAM Policies with Effect Allow and NotAction
Risk level: High