Profile Applicability: Level 1


Description

IAM policies that allow full *: * administrative privilege means to provide full access to users, groups, and roles. This type of policy considered standard security advice to grant the least privilege – that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. Permissions in the policies determine whether the request is allowed or denied.


Rationale: 

It’s more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are a maximum privilege and it is very less secure if IAM policies that allow full administrative privileges.

Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.

IAM policies that have a statement with “Effect”: “Allow” with “Action”: “*” over “Resource”: “*” should be removed. Effect”: “Allow” with “Action”: “over “Resource”: “Effect”: “Allow” with “Action”: “over “Resource”: “Effect”: “Allow” with “Action”: “over “Resource”: “


Impact:

If you give full administrative access/ privileges instead of restricting to the minimum set of permissions can expose your AWS resources and it harmful for your organization, Icompaas strongly recommends creating and using IAM policies the give the least privilege. For security purposes, you should not give full administrative privilege. 

A policy is an object in AWS that, when associated with an entity or resource, defines its permissions.


Default Value:

By default policy start with no permissions, In other words, IAM entities can do nothing in AWS until you grant them your desire.


Audit:

Perform the following to determine what policies are created:

Via AWS Console

Step 1: Log in to AWS console and go to IAM Service https://console.aws.amazon.com/iam/

In policy, you want to examine click on the particular policy how to go in policy list follow the below steps:-

Step 2:  Click on Policy in the left navigation pane

Step 3: Click on the IAM policy (Type: Customer managed) that you want to examine. 

In the Permissions tab click on {} JSON 

Inside the policy document box, search for statements with the following combinations of elements “Effect”: “Allow”, “Action”: “*”, “Resource”: “*


If you notice the condition as mentioned in the image do follow the implementation steps to delete the policy.


Via CLI:

Step 1: Run the list-policies command in your AWS configure the system in the terminal

aws iam list-policies --scope Local --query 'Policies[*].Arn'


It should return output as below 

[     

"arn:aws:iam::<12_digit_account_id>:policy/cc-full-access-policy",     

"arn:aws:iam::<12_digit_account_id>:policy/cc-deploy-app-policy", 

]



Step 2: Check the version of the policy

aws iam get-policy-version --policy-arn arn:aws:iam::<12_digit_account_id>:policy/cc-full access-policy --version-id v1 --query 'PolicyVersion.Document



above command gives output as below

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "12_digit_account_id",
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}



As per above, we get “Effect”: ”Allow”, “Action”:”*”, “Resource”:”*” within the JSON  it means the AWS IAM user-managed policy allows full administrative privileges.


Remediation:

Pre-Requisite:

  • Make sure you are considering customer-managed policies.

  • Make a note of policy access conditions, for backup

    • Take a screenshot of the policy configurations


Implementation Steps:

Via AWS Console

Step 1: Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam

Step 2: Click on Policies in the left navigation pane.

Step 3: Click on the policy which contains allow full “*”:”*” administrative as per audit step

Step 4: Select the policy that needs to be deleted and then click on policy usage, first detach the uses and groups from the policy.

Step 5: Select the policy and click on the delete policy button.



Via CLI

Step 1: Use the below command to find out the list of entities for policy

aws iam list-entities-for-policy --policy-arn <policy_arn>


Step 2: Detach the policy from all IAM Users

aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>


IAM Groups:

aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>

IAM Roles:

aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>




Step 3: After detaching groups, user and role from the policy then delete

aws iam delete-policy --policy-arn arn:aws:iam::<policy_id>:policy/<policy_name>


Backout Plan:

Steps to Create a policy:

Step 1: Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam

Step 2: Click on Policies in the left navigation pane.

Step 3: Use the policy conditions noted as a backup to create a policy

After creating a policy attach users and groups as required.


Via CLI

To create the policy

aws iam create-policy --policy-name my-policy --policy-document file://policy


To attach the policy to the user:




CIS Controls:

4. Controlled Use of Administrative Privileges 

Controlled Use of Administrative Privileges