IAM Policies with Effect Allow and NotAction

Risk level: High (not acceptable risk)

Rule ID: IAM-061

Ensure that your Amazon IAM policies (inline and customer managed) do not use "Effect" : "Allow" in combination with "NotAction" element in order to follow security best practices and adhere to the principle of least privilege. "NotAction" is an advanced policy element that explicitly matches everything except the specified list of actions. Using NotAction with "Effect" : "Allow" can result in a shorter policy by listing only a few actions that should not match (e.g. "Statement": [ { "Effect": "Allow", "NotAction": "s3:DeleteBucket", "Resource": "arn:aws:s3:::*" } ]), but the inappropriately use of the combination can make the policy too permissive, leading eventually to unauthorized access.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

From the security perspective, blacklisting to some degree (allowing everything with some exceptions) does not follow best practices and in case of IAM policies does not comply with the principle of least privilege (i.e. providing the minimal set of actions required to perform successfully the desired task(s)).

Audit

Case A: To determine if the customer managed policies created in your AWS account utilize "Effect" : "Allow" in combination with "NotAction", perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Policies.

04 From the Filter dropdown menu, select Customer managed to list only the customer managed policies available.

05 Click on the name (link) of the IAM policy that you want to examine.

06 Select Permissions tab and click {} JSON button to access the selected policy document in JSON format.

07 Within the policy document box, search for "Effect": "Allow" and "NotAction" combination of elements. If the verified policy utilize "Effect" : "Allow" in combination with "NotAction" element, e.g.

the selected IAM customer managed policy does not follow security best practices, therefore it should be redefined (recommended).

08 Repeat steps no. 5 – 7 to determine if other AWS IAM policies, created within your AWS account, utilize "Effect" : "Allow" in combination with "NotAction".

Using AWS CLI

01 Run list-policies command (OSX/Linux/UNIX) to list the ARNs of all IAM customer managed policies available in your AWS account:

aws iam list-policies
	--scope Local --query 'Policies[*].Arn'

02 The command output should return the requested ARNs:

[
    "arn:aws:iam::123456789012:policy/s3-media-mgmnt-policy",
    "arn:aws:iam::123456789012:policy/code-deploy-policy",
    "arn:aws:iam::123456789012:policy/user-credentials-policy"
]

03 Run get-policy-version command (OSX/Linux/UNIX) using the ARN of the IAM policy that you want to examine as identifier, to retrieve the policy document (JSON format):

aws iam get-policy-version
	--policy-arn arn:aws:iam::123456789012:policy/s3-media-mgmnt-policy
	--version-id v1
	--query 'PolicyVersion.Document'

04 The command output should return the requested IAM policy document:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "123456789012",
            "Effect": "Allow",
            "NotAction": "s3:DeleteBucket",
            "Resource": "arn:aws:s3:::*"
        }
    ]
}

Search for "Effect": "Allow" and "NotAction" combination of elements within the JSON document returned by the get-policy-version command output. If the policy utilize "Effect" : "Allow" in combination with "NotAction" element, as shown in the example above, the selected IAM customer managed policy does not follow security best practices.

05 Repeat step no. 3 and 4 to determine if other AWS IAM policies, currently available in your AWS account, utilize "Effect" : "Allow" in combination with "NotAction".

Audit

Case B: To determine if any inline policies created in your AWS account utilize "Effect" : "Allow" in combination with "NotAction", perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users, Roles or Groups, depending on the IAM resource that you need to inspect.

04 Click on the name (link) of the IAM resource that you want to examine.

05 Select Permissions tab and choose the inline policy that you want to check. An AWS IAM inline policy should have the Policy type attribute set to Inline policy.

06 Expand the panel with the inline policy selected, then click {} JSON button to access the selected policy document.

the selected IAM inline policy does not follow security best practices, therefore the policy should be redefined in order to implement the principle of least privilege.

08 Repeat steps no. 5 – 7 to determine if other IAM inline policies, created for the selected IAM resource, utilize "Effect" : "Allow" in combination with "NotAction".

09 Repeat steps no. 4 – 8 to perform the entire audit process for other AWS IAM resources, available in your AWS account.

Using AWS CLI

01 Based on the type of the IAM resource that you want to examine, perform one of the following commands:

For Amazon IAM users:

Run get-user-policy command (OSX/Linux/UNIX) to retrieve the specified inline policy document (JSON format) associated with the selected IAM user:
```
aws iam get-user-policy
	--user-name S3Manager
	--policy-name cc-s3-manager-policy
	--query 'PolicyDocument'
```

The command output should return the specified IAM policy document:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "123456789012",
            "Effect": "Allow",
            "NotAction": "s3:DeleteBucket",
            "Resource": "arn:aws:s3:::*"
        }
    ]
}

For AWS IAM roles:

Run get-role-policy command (OSX/Linux/UNIX) to describe the specified inline policy document embedded in the selected IAM role:
```
aws iam get-role-policy
	--role-name S3MgmntRole
	--policy-name cc-s3-manager-policy
	--query 'PolicyDocument'
```

The command output should return the requested AWS IAM policy document:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "123456789012",
            "Effect": "Allow",
            "NotAction": "s3:DeleteBucket",
            "Resource": "arn:aws:s3:::*"
        }
    ]
}

For Amazon IAM groups:
- Run get-group-policy command (OSX/Linux/UNIX) to get the specified inline policy document (JSON format) associated with the selected AWS IAM group:
```
aws iam get-group-policy
	--group-name S3Managers
	--policy-name cc-s3-manager-policy
	--query 'PolicyDocument'
```
- The command output should return the specified IAM policy document:
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "123456789012",
            "Effect": "Allow",
            "NotAction": "s3:DeleteBucket",
            "Resource": "arn:aws:s3:::*"
        }
    ]
}
```
  Search for "Effect": "Allow" and "NotAction" combination of elements within the JSON document returned by the get-user-policy / get-role-policy / get-group-policy command output. If the policy utilize "Effect" : "Allow" in combination with "NotAction" element, as shown in the output examples listed above, the selected IAM inline policy does not follow security best practices.

02 Repeat step no. 1 to determine if other IAM inline policies, associated with your AWS IAM resources, utilize "Effect" : "Allow" in combination with "NotAction".

Remediation / Resolution

Case A: To update (redefine) your AWS IAM customer managed policies and remove "Effect" : "Allow" and "NotAction" combination of elements in order to follow security best practices, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Policies.

04 From the Filter dropdown menu, select Customer managed to list your customer managed policies.

05 Click on the name (link) of the IAM policy that you want to update (see Audit section part I to identify the right IAM resource).

06 Select Permissions tab and click Edit policy button to initiate the policy update process.

07 Select JSON tab and update the selected policy document by removing the "Effect": "Allow" and "NotAction" combination and set the required permissions while following the principle of least privilege – that is, granting only the permissions required to perform the necessary task(s).

08 Click Review policy to review the updated customer managed policy before saving it.

09 Once the policy is reviewed, click Save changes to apply the permission changes.

10 Repeat steps no. 5 – 9 to redefine other AWS IAM customer managed policies, available within your AWS account.

Using AWS CLI

01 First, you need to update (redefine) the selected policy document by removing the "Effect": "Allow" and "NotAction" combination and set the required permissions while following the principle of least privilege. Save the updated policy within a JSON document named new-customer-managed-policy.json. The following policy document example represents the redefined version of the "s3-media-mgmnt-policy" IAM policy, verified at Audit section part I:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "123456789011",
      "Effect": "Deny",
      "Action": [
        "s3:DeleteBucket"
      ],
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Sid": "123456789012",
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::*"
    }
  ]
}

02 Run create-policy-version command (OSX/Linux/UNIX) using the ARN of the IAM policy that you want to update as identifier and the policy document listed at the previous step, to add a new (redefined) version to the selected customer managed policy. Use --set-as-default parameter to set the new version as the policy's default version:

aws iam create-policy-version
	--policy-arn arn:aws:iam::123456789012:policy/s3-media-mgmnt-policy
	--policy-document file://new-customer-managed-policy.json
	--set-as-default

03 The command output should return the metadata for the new IAM policy version:

{
    "PolicyVersion": {
        "CreateDate": "2018-02-13T18:00:26.511Z",
        "VersionId": "v2",
        "IsDefaultVersion": true
    }
}

04 Repeat steps no. 1 – 3 to update other Amazon IAM customer managed policies available in your AWS account.

Case B: To redefine your AWS IAM inline policies and remove "Effect" : "Allow" and "NotAction" combination of elements in order to follow security best practices, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users, Roles or Groups, depending on the IAM resource that you need to select.

04 Click on the name (link) of the IAM resource that you want to reconfigure (see Audit section part I to identify the right resource).

05 Select Permissions tab and choose the inline policy that you want to update (see Audit section part I to identify the required policy).

06 Expand the panel with the inline policy selected, then click Edit policy button to initiate the update process.

07 Select JSON tab and update the selected policy document by removing the "Effect": "Allow" and "NotAction" combination and set the required permissions while following the principle of least privilege (i.e. granting only the permissions required to perform the necessary task(s)).

08 Click Review policy to review the updated customer managed policy.

09 Click Save changes to apply the permission changes.

10 Repeat steps no. 5 – 9 to update other Amazon IAM inline policies associated with the selected IAM resource.

11 Repeat steps no. 4 – 10 to perform the entire process for other AWS IAM resources, available in your AWS account.

Using AWS CLI

01 First, you need to redefine the selected policy document by removing the "Effect": "Allow" and "NotAction" combination and set the required permissions. Save the updated policy within a JSON document named new-customer-managed-policy.json. The following policy document example represents the redefined version of the "s3-media-mgmnt-policy" IAM policy, verified at Audit section part I:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "123456789011",
      "Effect": "Deny",
      "Action": [
        "s3:DeleteBucket"
      ],
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Sid": "123456789012",
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::*"
    }
  ]
}

02 Based on the type of the IAM resource that you want to reconfigure, perform one of the following commands:

For Amazon IAM users:
- Run put-user-policy command (OSX/Linux/UNIX) to update the required inline policy document (see Audit section part II to identify the right policy), associated with the specified AWS IAM user (the command does not produce an output):
```
aws iam put-user-policy
	--user-name S3Manager
	--policy-name cc-s3-manager-policy
	--policy-document file://new-customer-managed-policy.json
```
For AWS IAM roles:
- Run put-role-policy command (OSX/Linux/UNIX) to update the necessary inline policy document (see Audit section part II to identify the right resource), associated with the specified AWS IAM role (the command does not produce an output):
```
aws iam put-role-policy
	--role-name S3MgmntRole
	--policy-name cc-s3-manager-policy
	--policy-document file://new-customer-managed-policy.json
```
For Amazon IAM groups:
- Run put-group-policy command (OSX/Linux/UNIX) to update the specified inline policy document (see Audit section part II to identify the right policy), associated with the selected AWS IAM group (the command does not produce an output):
```
aws iam put-group-policy
	--group-name S3Managers
	--policy-name cc-s3-manager-policy
	--policy-document file://new-customer-managed-policy.json
```

03 Repeat step no. 1 and 2 to update other Amazon IAM inline policies associated with IAM resources (users, roles and groups).

References

AWS Command Line Interface (CLI) Documentation
iam
list-policies
get-policy-version
get-user-policy
get-role-policy
get-group-policy
create-policy-version
put-user-policy
put-role-policy
put-group-policy

Publication date Feb 13, 2018

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

IAM Policies with Effect Allow and NotAction

Risk level: High

Audit

Using AWS Console

Using AWS CLI

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

References

Related IAM rules