Description:

You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, defines its permissions. AWS evaluates these policies when an IAM principal (user or role) makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents. AWS supports six types of policies: identity-based policies, resource-based policies, permissions boundaries, organization SCPs, ACLs, and session policies.

Rationale:

It’s more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are a maximum privilege and it is very less secure if IAM policies that allow full administrative privileges.

Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.

Impact:

Checks if for each IAM resource, a policy ARN in the input parameter is attached to the IAM resource. The rule is NON_COMPLIANT if the policy ARN is attached to the IAM resource. AWS Config marks the resource as COMPLIANT if the IAM resource is part of the exceptionalist parameter, irrespective of the presence of the policy ARN.

Default Value:

By default, the module looks for any policies that match the document you pass in, if there is a match, it will not make a new policy object with the same rules. You can override this by specifying false which would allow for two policy objects with different names but the same rules

Pre-Requisite:

  • Sign in as an admin or IAM user with the required permissions


Remediation:

Test Plan:

01:Sign into the AWS Management Console.

02:Navigate to the Amazon IAM console at https://console.aws.amazon.com/iam/.

03:In the left navigation panel, select User Groups.

04:Click on the name (link) of the IAM group that you want to examine.

05:On the Summary page, select the Permissions tab from the bottom panel to access the identity–based policies attached to the selected group.

06:In the Managed Policies section, check the name of each managed access policy attached to the IAM group, listed in the Policy Name column. If a managed policy with the name Administrator Access is attached to the group, the selected Amazon IAM group has administrator-level permissions, therefore the admin access policy implemented for your AWS account is not following IAM security best practices. 

Implementation Steps:

Step 01:Sign into the AWS Management Console.

Step 02:Navigate to the Amazon IAM console at https://console.aws.amazon.com/iam/.

Step 03:In the left navigation panel, select Groups.

Step 04:Click on the name (link) of the IAM group that you want to reconfigure.

Step 05:On the Summary page, select the Permissions tab from the bottom panel to access the IAM policies attached to the selected group.

Step 06:In the Managed Policies section, choose Detach Policy next to the Administrator Access managed policy to detach it from the selected Amazon IAM group. 

Step 07:Inside the Detach Policy confirmation box, choose Detach. 

Step 08:Follow the steps rule to create the IAM Master and IAM Manager roles necessary for efficient and secure IAM administration and permission management within your AWS account.

  1. To assume the IAM Master role, perform the following actions:

    • In the Inline Policies section, choose Create Group Policy to add an inline policy to the selected IAM group.

    • On the Set Permissions page, select Custom Policy, and paste the following policy (JSON format) in the Policy Document box. Replace "arn:aws:iam::<aws-account-id>:instance-profile/<iam-master-role-name>" with the ARN of your IAM Master 

      {
      "Version": "2012-10-17",
      "Statement": {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::<aws-account-id>:instance-profile/<iam-master-role-name>"
      }
      }
    • In the Policy Name box provide a unique name for the inline policy.
      • Choose Apply Policy to attach the new inline policy to the selected IAM group. Each user added to your Amazon IAM group will also assume the IAM Master role.

      • To assume the IAM Manager role, perform the following:

      • In the Inline Policies section, choose Create Group Policy to add a new inline policy to the selected IAM group.

      • On the Set Permissions page, select Custom Policy, and paste the following policy in the Policy Document box. Replace "arn:aws:iam::<aws-account-id>:instance-profile/<iam-manager-role-name>" with the ARN of your IAM Manager.

        {
        "Version": "2012-10-17",
        "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::<aws-account-id>:instance-profile/<iam-manager-role-name>"
        }
        }

      • In the Policy Name box provide a name for the inline policy.
      • Choose Apply Policy to attach the new inline policy to the selected IAM group. Each user added to your Amazon IAM group will also assume the IAM Manager role.



Back out Plan:

  • Sign in to the AWS Management Console.

  • Navigate to the Amazon IAM console at https://console.aws.amazon.com/iam/.

  • In the left navigation panel, select Groups.

  • Remove the attached policy from your group permissions.

References:

iam-policy-blacklisted-check - AWS Config 

Creating your first IAM admin user and user group - AWS Identity and Access Management 

Deprecated AWS managed policies - AWS Identity and Access Management 

Creating your first IAM admin user and user group - AWS Identity and Access Management