Profile Applicability:
Level 1
Description:
AWS IAM policies define permissions for users, groups, and roles. The principle of least privilege states that entities should only have the permissions required to perform their job.
Rationale:
Unrestricted IAM policies allow any action on all AWS resources, increasing the risk of misconfigurations or breaches.
Attackers can exploit over-permissive roles to escalate privileges and compromise AWS environments.
Security and compliance frameworks (CIS, SOC 2, ISO 27001, PCI-DSS, HIPAA) require role-based access control (RBAC), not global administrator access.
Impact:
Excessive permissions increase the attack surface and expose critical AWS resources.
Misconfigurations in IAM roles may lead to data leaks, accidental deletions, or unauthorized API calls.
Organizations with over-permissive IAM policies fail compliance audits.
Default Value:
By default, AWS allows the use of wildcard (*:*) permissions, meaning:
IAM users, groups, and roles can have full access to AWS resources if administrators do not restrict permissions.
AWS does not enforce least privilege unless explicitly configured.
Pre-Requisites:
IAM Administrator Access:
Requiredpermissions: iam:ListPolicies, iam:GetPolicyVersion, iam:ListEntitiesForPolicy, iam:DetachUserPolicy, iam:DetachGroupPolicy, iam:DetachRolePolicy.
AWS CloudTrail (optional):
To monitor changes to IAM policies and detect over-permissive policies.
AWS Organizations & SCPs (optional):
To prevent full ":" policies from being created.
Remediation:
Test Plan:
Using Console Steps:
Login to AWS Console as an IAM Administrator.
Open IAM Console → Click Policies.
In the search bar, enter "*:*" to filter policies.
Review each policy:
If the Statement contains "Effect": "Allow", "Action": "*", "Resource": "*" → The policy is non-compliant.
Check which users, groups, or roles have the policy attached.
Using Command Line Steps:
List all attached IAM policies:
aws iam list-policies --only-attached --query 'Policies[*].Arn' --output text
For each policy, check if it grants full permissions (":"):
aws iam get-policy-version --policy-arn <policy_arn> --version-id <version>
Review the output for any policy with this structure:
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}List all users, groups, or roles attached to the policy:
aws iam list-entities-for-policy --policy-arn <policy_arn>Implementation Steps:
Step 1: Detach and Delete Over-Permissive IAM Policies
Using Console Steps
Login to AWS Console as an IAM Administrator.
Open IAM Console → Click Policies.
Identify policies with "*:*" permissions.
Click on the policy → Click Detach.
Select all users, groups, and roles using the policy → Click Detach Policy.
Once detached, select the policy again → Click Delete.
Using Command Line Steps
- List IAM users, groups, and roles using the policy:
aws iam list-entities-for-policy --policy-arn <policy_arn>
- Detach the policy from users:
aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>
- Detach the policy from groups:
aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>
- Detach the policy from roles:
aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>
Delete the policy once detached:
aws iam delete-policy --policy-arn <policy_arn>
Step 2: Replace with Least Privilege IAM Policies
Instead of full "*:*" permissions, create role-specific IAM policies.
Example: Read-Only Policy
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"ec2:DescribeInstances"
],
"Resource": "*"
}Command to Create a New Policy with Least Privilege
aws iam create-policy --policy-name ReadOnlyPolicy --policy-document file://readonly-policy.json
Backout Plan:
If a policy was mistakenly deleted or detached: Recreate the IAM policy using AWS CLI:
aws iam create-policy --policy-name RestoredPolicy --policy-document file://policy.json
Reattach the policy to the required users, groups, or roles:
aws iam attach-user-policy --user-name <iam_user> --policy-arn <policy_arn>Ensure the policy follows the least privilege model before reattaching.