Description:
This policy ensures that a report is generated and shared with the appropriate stakeholders that lists all users who have administrative access to the AWS account. This report can be used to track who has access to sensitive resources and to identify any unauthorized users who may have been granted administrative privileges.
Rationale:
The ability to track who has administrative access to an AWS account is essential for maintaining the security of that account. By generating a report of all users with administrative access, organizations can ensure that only authorized users have access to sensitive resources.
Impact:
Generating the report of users with administrative access will have no impact on the availability or performance of the AWS account. However, it may increase the amount of data that is stored in AWS.
Default Value:
AWS does not generate a report of users with administrative access by default.
Pre-requisites:
- The user must have the appropriate permissions to generate the report of users with administrative access.
- The user must have access to the AWS Management Console or the AWS CLI.
- The user must have a shared folder or S3 bucket where the report can be stored.
Remediation Steps:
To disable this policy, the user can follow these steps:
- In the AWS Management Console, navigate to the IAM & Admin page.
- Click on the Policies tab.
- Select the policy that you want to disable.
- Click on the Disable button.
Test Plan:
To test this policy, the user can follow these steps:
- Enable the policy.
- Generate the report of users with administrative access.
- Verify that the report is shared with the appropriate stakeholders.
Implementation Plan:
To implement this policy, the user can follow these steps:
- Enable the policy.
- Generate the report of users with administrative access.
- Share the report with the appropriate stakeholders.
AWS CLI Process:
To enable this policy using the AWS CLI, the user can run the following command:
aws iam update-policy --policy-name <policy-name> --policy-document file://<policy-document-file>
The policy-document-file
file should contain the following JSON:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:GenerateReport", "Resource": "*" } ] }
Using AWS GUI:
To enable this policy using the AWS GUI, the user can follow these steps:
- In the AWS Management Console, navigate to the IAM & Admin page.
- Click on the Policies tab.
- Select the policy that you want to enable.
- Click on the Edit button.
- In the Policy Document section, paste the following JSON:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:GenerateReport", "Resource": "*" } ] }
- Click on the Save button.
Backout Plan:
To revoke this policy, the user can follow these steps:
- In the AWS Management Console, navigate to the IAM & Admin page.
- Click on the Policies tab.
- Select the policy that you want to revoke.
- Click on the Delete button.
Note:
- This policy is not required for all AWS environments.
- The user should test the policy to ensure that it is working as expected.
- The user should revoke this policy if it is no longer needed.
Reference:
- AWS IAM Policy Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
- AWS CLI Command Reference: https://docs.aws.amazon.com/cli/latest/reference/iam/
Section 2:
- Tags: users, administrative, access, report, share
- Keywords: IAM, policy, audit, compliance