Profile Applicability: Level 1
Description:
A policy is an object in AWS that, when associated with an entity or resource, defines its permissions. IAM policies that allow full *: * administrative privilege means to provide full access to users, groups, and roles. This type of policy is considered standard security advice to grant the least privilege – that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. Permissions in the policies determine whether the request is allowed or denied.
Rationale:
It’s more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are a maximum privilege and it is very less secure if IAM policies that allow full administrative privileges.
Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.
IAM policies that have a statement with “Effect”: “Allow” with “Action”: “*” over “Resource”: “*” should be removed. Effect”: “Allow” with “Action”: “over “Resource”: “Effect”: “Allow” with “Action”: “over “Resource”: “Effect”: “Allow” with “Action”: “over “Resource”: “
Impact:
If you give full administrative access/ privileges instead of restricting to the minimum set of permissions can expose your AWS resources and it harmful for your organization, Icompaas strongly recommends creating and using IAM policies the give the least privilege. For security purposes, you should not give full administrative privilege.
A policy is an object in AWS that, when associated with an entity or resource, defines its permissions.
Default Value:
By default policy start with no permissions, In other words, IAM entities can do nothing in AWS until you grant them your desire.
Pre-Requisite:
Make sure you are considering customer-managed policies.
Make a note of policy access conditions, for backup
Take a screenshot of the policy configurations
Remediation:
Test Plan:
Using AWS Console
- Log in to the AWS console and go to IAM Service https://console.aws.amazon.com/iam/
- Click on Policy in the left navigation pane.
- Click on the IAM policy (Type: Customer managed) that you want to examine.
- In the Permissions tab click on {} JSON
- Inside the policy document box, search for statements with the following combinations of elements “Effect”: “Allow”, “Action”: “*”, “Resource”: “*”
- If you notice the condition as mentioned in the image do follow the implementation steps to delete the policy.
Using AWS CLI:
- Run the list-policies command in your AWS and configure the system in the terminal
aws iam list-policies --scope Local --query 'Policies[*].Arn' - It should return the output as below.
[
"arn:aws:iam::<12_digit_account_id>:policy/cc-full-access-policy",
"arn:aws:iam::<12_digit_account_id>:policy/cc-deploy-app-policy",
]Step 2: Check the version of the policy.
aws iam get-policy-version --policy-arn arn:aws:iam::<12_digit_account_id>:policy/cc-full access-policy --version-id v1 --query 'PolicyVersion.Documentabove command gives output as below.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "12_digit_account_id",
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}As per above, we get “Effect”: ”Allow”, “Action”:”*”, “Resource”:”*” within the JSON it means the AWS IAM user-managed policy allows full administrative privileges.
Implementation Steps:
Using AWS Console:
- Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam
- Click on Policies in the left navigation pane.
- Click on the policy which contains allows full “*”:”*” administrative as per audit step
- Select the policy that needs to be deleted and then click on policy usage, first detach the uses and groups from the policy
- Select the policy and click on the delete policy button.
Using AWS CLI:
Use the below command to find out the list of entities for policy
aws iam list-entities-for-policy --policy-arn <policy_arn>Detach the policy from all IAM Users
aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>
IAM Groups:
aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>After detaching groups, user and role from the policy then delete.
aws iam delete-policy --policy-arn arn:aws:iam::<policy_id>:policy/<policy_name>Backout Plan:
- Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam
- Click on Policies in the left navigation pane.
- Use the policy conditions noted as a backup to create a policy
- After creating a policy attach users and groups as required.
Using AWS CLI:
To create the policy
aws iam create-policy --policy-name my-policy --policy-document file://policyTo attach the policy to the user:
aws iam attach-user-policy --policy-arn arn:aws:iam:<ACCOUNT-ID?:aws:policy/AdministratorAccess --user-name <name_of_user>References:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_controlling.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_list.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html
CIS Controls:
4. Controlled Use of Administrative Privileges
Controlled Use of Administrative Privileges