Profile Applicability:

  • Level 2

Description:
 In AWS IAM, an Administrator Access Policy grants full access to all resources in an AWS account. This level of access should be granted with caution, as it provides complete administrative privileges. To minimize the risk of unauthorized access, it's important to ensure that IAM groups do not have an Administrator Access Policy assigned.

An IAM group is a collection of IAM users that share permissions. If an IAM group is granted the AdministratorAccess policy, any user added to that group would have unrestricted access to all AWS resources. This could lead to security vulnerabilities and accidental changes or deletions of critical resources. Instead of using the Administrator Access policy directly in groups, it is recommended to assign least privilege policies to groups and users, limiting access to only necessary resources.

Rationale:
 Granting the AdministratorAccess policy to an IAM group allows all members of that group to have unrestricted access to AWS resources, which increases the risk of misuse. It's a security best practice to avoid assigning such powerful policies to IAM groups unless absolutely necessary. By ensuring that IAM groups do not have the AdministratorAccess policy, you help reduce the attack surface and ensure the principle of least privilege is followed.

Impact:
 Pros:

  • Improved security by reducing the number of users with full administrative privileges.

  • Helps enforce the least privilege access model, where users only have access to the resources they need.

  • Reduces the risk of accidental or malicious modifications to AWS resources.

Cons:

  • May require careful review and configuration of IAM group policies to ensure that users still have the necessary permissions to perform their tasks.

  • If AdministratorAccess is required for a legitimate use case, it needs to be assigned carefully and monitored.

Default Value:
 By default, IAM groups in AWS do not have AdministratorAccess granted unless explicitly configured by an administrator.

Pre-requisites:

  • AWS IAM permissions to manage IAM groups and policies:
     iam:ListGroups
     iam:ListAttachedGroupPolicies
     iam:DetachGroupPolicy
     iam:AttachGroupPolicy

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console using an IAM user or role with sufficient privileges.

  2. Navigate to IAM and select Groups.

  3. Review the list of IAM groups and their attached policies.

  4. For each group, check if the AdministratorAccess policy is attached.

    • Navigate to the Group Details page.

    • In the Permissions tab, check if AdministratorAccess or similar policies (e.g., AdministratorAccess) are attached.

  5. If the AdministratorAccess policy is attached to any group, detach it and review the group’s permissions to ensure it has the appropriate level of access.

Using AWS CLI:

  1. List all IAM groups:

    aws iam list-groups

  2. For each IAM group, list the attached policies:

    aws iam list-attached-group-policies --group-name <GROUP_NAME>

  3. Review the list of attached policies. If AdministratorAccess is listed, detach the policy:

    aws iam detach-group-policy --group-name <GROUP_NAME> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

  4. To verify that AdministratorAccess is no longer attached, run:

    aws iam list-attached-group-policies --group-name <GROUP_NAME>

Implementation Plan:

Using AWS Console:

  1. Open the IAM Console and navigate to Groups.

  2. Select any group with the AdministratorAccess policy attached.

  3. In the Permissions tab, click Detach Policy to remove the AdministratorAccess policy from the group.

  4. Review the group’s permissions to ensure they have appropriate access to only the required AWS resources.

Using AWS CLI:

  1. Detach the AdministratorAccess policy from the group using:

    aws iam detach-group-policy --group-name <GROUP_NAME> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

  2. If necessary, assign other policies with more restricted permissions that align with the least privilege principle:

    aws iam attach-group-policy --group-name <GROUP_NAME> --policy-arn arn:aws:iam::aws:policy/<NEW_POLICY>

Backout Plan:

Using AWS Console:

  1. If removing AdministratorAccess causes issues or if the group needs full administrative access, you can reattach the policy:

    • Go to Group Details and click Attach Policy.

    • Search for AdministratorAccess and attach it to the group again.

Using AWS CLI:

  1. If AdministratorAccess needs to be reattached, run the following command:

    aws iam attach-group-policy --group-name <GROUP_NAME> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

3.1

Ensure IAM groups do not have the AdministratorAccess policy attached to prevent overly broad permissions from being granted to users.

7.1

8.1

Follow the least privilege principle and avoid assigning AdministratorAccess to IAM groups unless absolutely necessary.