Profile Applicability:

Level 1

Description:

AWS IAM policies define permissions for users, groups, and roles. The principle of least privilege states that entities should only have the permissions required to perform their job.

Rationale:

  • Unrestricted IAM policies allow any action on all AWS resources, increasing the risk of misconfigurations or breaches.

  • Attackers can exploit over-permissive roles to escalate privileges and compromise AWS environments.

  • Security and compliance frameworks (CIS, SOC 2, ISO 27001, PCI-DSS, HIPAA) require role-based access control (RBAC), not global administrator access.

Impact:

  • Excessive permissions increase the attack surface and expose critical AWS resources.

  • Misconfigurations in IAM roles may lead to data leaks, accidental deletions, or unauthorized API calls.

  • Organizations with over-permissive IAM policies fail compliance audits.

Default Value:

By default, AWS allows the use of wildcard (*:*) permissions, meaning:

  • IAM users, groups, and roles can have full access to AWS resources if administrators do not restrict permissions.

  • AWS does not enforce least privilege unless explicitly configured.

Pre-Requisites:

  1. IAM Administrator Access:

    • Requiredpermissions: iam:ListPolicies, iam:GetPolicyVersion, iam:ListEntitiesForPolicy, iam:DetachUserPolicy, iam:DetachGroupPolicy, iam:DetachRolePolicy.

  2. AWS CloudTrail (optional):

    • To monitor changes to IAM policies and detect over-permissive policies.

  3. AWS Organizations & SCPs (optional):

    • To prevent full ":" policies from being created.

Remediation:

Test Plan:

Using Console Steps:

  1. Login to AWS Console as an IAM Administrator.

  2. Open IAM Console → Click Policies.

                           

  1. In the search bar, enter "*:*" to filter policies.

  2. Review each policy:

    • If the Statement contains "Effect": "Allow", "Action": "*", "Resource": "*" → The policy is non-compliant.

  3. Check which users, groups, or roles have the policy attached.

Using Command Line  Steps:

List all attached IAM policies:

 aws iam list-policies --only-attached --query 'Policies[*].Arn' --output text

For each policy, check if it grants full permissions (":"):

 aws iam get-policy-version --policy-arn <policy_arn> --version-id <version>

Review the output for any policy with this structure:

 {
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*"
}

List all users, groups, or roles attached to the policy:

aws iam list-entities-for-policy --policy-arn <policy_arn>
Implementation Steps:

Step 1: Detach and Delete Over-Permissive IAM Policies

Using Console Steps

  1. Login to AWS Console as an IAM Administrator.

  2. Open IAM Console → Click Policies.

                     

  1. Identify policies with "*:*" permissions.

  2. Click on the policy → Click Detach.                    

  3. Select all users, groups, and roles using the policy → Click Detach Policy.

  4. Once detached, select the policy again → Click Delete.          

Using Command Line Steps

  • List IAM users, groups, and roles using the policy:
aws iam list-entities-for-policy --policy-arn <policy_arn>
  • Detach the policy from users:
 aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>
  • Detach the policy from groups:
 aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>
  • Detach the policy from roles:
 aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>

Delete the policy once detached:

 aws iam delete-policy --policy-arn <policy_arn>

Step 2: Replace with Least Privilege IAM Policies

Instead of full "*:*" permissions, create role-specific IAM policies.

Example: Read-Only Policy

{
    "Effect": "Allow",
    "Action": [
        "s3:ListBucket",
        "ec2:DescribeInstances"
    ],
    "Resource": "*"
}

Command to Create a New Policy with Least Privilege

aws iam create-policy --policy-name ReadOnlyPolicy --policy-document file://readonly-policy.json

Backout Plan:

If a policy was mistakenly deleted or detached: Recreate the IAM policy using AWS CLI:

aws iam create-policy --policy-name RestoredPolicy --policy-document file://policy.json

Reattach the policy to the required users, groups, or roles:

 aws iam attach-user-policy --user-name <iam_user> --policy-arn <policy_arn>
Ensure the policy follows the least privilege model before reattaching.


References: