Skip to main content

lacework-global-45

info

This rule also encompasses lacework-global-485 and lacework-global-486. See Adjusted Rules for CIS AWS 1.4.0 for further details.

1.16 Ensure Identity and Access Management (IAM) policies that allow full "*:*" administrative privileges are not attached to users (Automated)

Profile Applicability

• Level 1

Description

IAM policies grant privileges to users, groups, or roles. Best practices recommend granting least privilege -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.

To find attached policies that allow full administrative privileges:

Locate attached policies with:

aws iam list-policies --only-attached

For each policy, get the policy version with:

aws iam get-policy-version --policy-arn <policy_arn> --version-id <version>

If any policies have a statement block with "Effect": "Allow", "Action": "", "Resource": "", those policies are allowing full administrative privileges.

Rationale

It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.

Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.

IAM policies that have a statement with "Effect": "Allow" with "Action": "*" over "Resource": "*" should be removed.

Audit

Perform the following to determine what policies are created:

From Command Line

  1. Run the following to get a list of IAM policies:
 aws iam list-policies --only-attached --output text
  1. For each policy returned, run the following command to determine if any policies is allowing full administrative privileges on the account:
 aws iam get-policy-version --policy-arn <policy_arn> --version-id <version>
  1. In output ensure policy should not have any Statement block with "Effect": "Allow" and Action set to "*" and Resource set to "*"

Remediation

From Console

Perform the following to detach the policy that has full administrative privileges:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, click Policies and then search for the policy name found in the audit step.
  3. Select the policy to delete.
  4. In the policy action menu, select first Detach.
  5. Select all Users that have this policy attached.
  6. Click Detach Policy.
  7. In the policy action menu, select Detach.

From Command Line

Perform the following to detach the policy that has full administrative privileges as found in the audit step:

  1. Lists all IAM users that have the specified managed policy attached:
 aws iam list-entities-for-policy --policy-arn <policy_arn>
  1. Detach the policy from all IAM Users:
 aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>
  1. Detach the policy from all IAM Groups:
 aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>
  1. Detach the policy from all IAM Roles:
 aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>

References

CCE-78912-3
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html
https://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam

Last updated on