Description:

You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, defines its permissions. AWS evaluates these policies when an IAM principal (user or role) makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents. AWS supports six types of policies: identity-based policies, resource-based policies, permissions boundaries, Organizations SCPs, ACLs, and session policies.

Ensure that the access policies attached to your IAM roles adhere to the principle of least privilege by giving the roles the minimal set of actions required to perform their tasks successfully.

Rationale:

Providing the right permissions for your IAM roles will significantly reduce the risk of unauthorized access (through API requests) to your AWS resources and services.

Impact:

An IAM user has permanent long-term credentials and is used to directly interact with AWS services. An IAM role does not have any credentials and cannot make direct requests to AWS services. IAM roles are meant to be assumed by authorized entities, such as IAM users, applications, or an AWS service such as EC2.

Default Value:

Policies let you specify who has access to AWS resources, and what actions they can perform on those resources. Every IAM user starts with no permissions. In other words, by default, users can do nothing, not even view their own access keys.


Pre-Requisites:

To perform the steps in this tutorial, you need to already have the following:

  • An AWS account that you can sign in to as an IAM user with administrative permissions.

  • A test IAM user that has no permissions assigned as follows:



Remediation:

Test Plan:

Case A:  To determine if your Amazon IAM role policies allow all actions (i.e. "*"), perform the following:

1. Sign in to the AWS Management Console.

2. Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

3. In the left navigation panel, choose Roles.

4. Click on the AWS IAM role that you want to examine.

5. On the IAM role configuration page, select the Permissions tab from the bottom panel.

6. Inside the Managed Policies and/or Inline Policies section(s), click the Show Policy link:

To open the attached IAM policy.

7. In the Show Policy dialog box, identify the Action element and its current value .If the element value is set to "*", all existing actions can be performed by the AWS resource(s) defined within the policy statement, therefore the IAM policy is too permissive.


Using AWS CLI :


The following get-role-policy command gets information about the specified policy attached to the role

aws iam get-role-policy --role-name Test-Role --policy-name ExamplePolicy

 

Case B: To determine if your AWS IAM role policies give access to all IAM actions (i.e. "iam:*"), perform the following

1. Sign in to the AWS Management Console.

2. Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

3. In the left navigation panel, choose Roles.

4. Click on the IAM role that you want to examine.

5. On the IAM role configuration page, select the Permissions tab from the bottom panel.

6. Inside the Managed Policies and/or Inline Policies section(s), click the Show Policy link to open the attached IAM policy.

7. In the Show Policy dialog box, identify the Action element and its current value. If the element value is set to "iam:*", all IAM service actions can be performed by the AWS resource(s) defined within the policy statement (i.e. full access to IAM), therefore the role policy is too permissive.

Case C:  To determine if your AWS IAM role policies allow "sts: Assume Role" from anyone, perform the following:

1. Sign in to the AWS Management Console.

2. Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

3. In the left navigation panel, choose Roles.

4. Click on the IAM role that you want to examine.

5. On the IAM role configuration page, select the Trust Relationships tab from the bottom panel.

6. Click the Trust Relationships button to open the attached policy.

7. On the Edit Trust Relationship page, identify the Action and Principal elements and their current values. If the Action element value is set to "sts:AssumeRole" and the Principal element value is set to { "AWS": "*" }, anyone (any IAM entity) can assume the role, therefore the Trusted Entities policy attached to the selected IAM role is too permissive.

Implement steps:

Case A: To update the IAM role policies that allow all actions (i.e. "*") in order to implement the principle of least privilege, perform the following:

1. Sign in to the AWS Management Console.

2. Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

3. In the left navigation panel, choose Roles.

4. Click on the IAM role that you want to reconfigure.

5. On the IAM role configuration page, select the Permissions tab from the bottom panel.

6. Inside the Managed Policies and/or Inline Policies section(s), click on the policy name (link), e.g.

To open the attached IAM policy for editing.

7. On the Policy Details page, select the Policy Document tab and click the Edit button to enter in the edit mode.

8. Update the selected policy by replacing the Action element value (i.e. "*") with specific action names based on your requirements.

9. Click Validate Policy to validate the changes.

10. Click the Save button to apply the policy changes.

Case B: To update the IAM role policies that allow all IAM actions (i.e. "iam:*") in order to implement the principle of least privilege, perform the following:

1. Sign in to the AWS Management Console.

2. Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

3. In the left navigation panel, choose Roles.

4. Click on the IAM role that you want to reconfigure.

5. On the IAM role configuration page, select the Permissions tab from the bottom panel.

6. Inside the Managed Policies and/or Inline Policies section(s), click on the policy name (link) to open the attached IAM policy for editing.

7. On the Policy Details page, select the Policy Document tab and click the Edit button to enter in the edit mode.

8. Update the selected policy by replacing the Action element value (i.e. "iam:*" – full IAM access) with specific IAM service actions, based on the access plan that you want to achieve for the selected role.

9. Click Validate Policy to validate the changes.

10. Click the Save button to apply the policy changes.

Backout Plan:

Revoke or change policies follow the same implementation steps.   

References: