Profile Applicability:

  • Level 2

Description:
 An IAM inline policy is a policy that is embedded directly into an IAM identity (user, group, or role). These policies are often used for specific, granular access control. However, allowing full ":" administrative privileges (i.e., a policy with permissions for every action on every resource, such as "Action": "*", "Resource": "*") is risky. This type of policy grants unrestricted access to all resources in the AWS account, posing significant security risks if misused.

Ensuring that IAM inline policies that grant full administrative privileges are not associated with IAM identities is crucial to reduce the attack surface and follow the principle of least privilege. Only trusted administrators should have unrestricted access, and even those accounts should use administrative privileges with caution and under controlled conditions.

Rationale:
 Inline policies granting full access to all resources (with actions like "Action": "*", "Resource": "*") bypass the granularity of control that IAM policies provide. By eliminating these policies, you enforce better security practices, ensuring that IAM identities are given only the permissions they need for their specific tasks. This practice helps prevent malicious use, accidental misconfigurations, and unauthorized access to sensitive resources.

Impact:
 Pros:

  • Reduced security risk by preventing excessive privileges from being assigned to IAM identities.

  • Improved compliance with the principle of least privilege, which reduces the chances of an attacker exploiting an identity with over-permissive policies.

  • Helps maintain more secure access controls by enforcing granular permissions.

Cons:

  • Requires regular audits of IAM policies to ensure full administrative privileges are not inadvertently granted.

  • Might require reconfiguration of IAM roles or users who depend on broad permissions for specific workflows, which may impact system processes.

Default Value:
 By default, AWS does not grant full ":" administrative privileges unless explicitly configured in the IAM policy.

Pre-requisites:

  • AWS IAM permissions to manage IAM users, roles, and policies:
     iam:ListPolicies
     iam:ListAttachedUserPolicies
     iam:ListAttachedRolePolicies
     iam:ListAttachedGroupPolicies
     iam:ListInlinePolicies
     iam:DeleteInlinePolicy

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console using an IAM user or role with administrative privileges (NOT the root account).

  2. Navigate to IAM and select Users, Groups, or Roles.

  3. For each IAM identity, check the attached inline policies:

    • Select a user, group, or role and check the Inline Policies section for any policy with the Action: "*" and Resource: "*".

  4. If any inline policy with full ":" permissions is found, modify or delete the policy and create a more restrictive policy that follows the least privilege model.

  5. Review each IAM identity to ensure that no user, group, or role has overly permissive inline policies attached.

Using AWS CLI:

  1. List all IAM users:

    aws iam list-users

  2. For each user, list their attached inline policies:

    aws iam list-inline-policies --user-name <USER_NAME>

  3. If any inline policy grants full ":" administrative access, inspect and modify the policy to ensure it doesn't include "Action": "*", "Resource": "*":

    aws iam get-user-policy --user-name <USER_NAME> --policy-name <POLICY_NAME>

  4. If necessary, delete any inline policy that provides full administrative access:

    aws iam delete-user-policy --user-name <USER_NAME> --policy-name <POLICY_NAME>

Implementation Plan:

Using AWS Console:

  1. Open the IAM Console and navigate to Users, Groups, or Roles.

  2. Select each IAM identity and review the attached inline policies.

  3. If any inline policy has the Action: "*" and Resource: "*", click on the Inline Policy and either delete it or modify the policy to restrict access to only the required resources and actions.

  4. Save the changes and ensure that IAM identities no longer have full administrative privileges assigned via inline policies.

Using AWS CLI:

  1. List all users:

    aws iam list-users

  2. For each user, check their inline policies:

    aws iam list-inline-policies --user-name <USER_NAME>

  3. If any inline policy grants full administrative privileges, delete the policy:

    aws iam delete-user-policy --user-name <USER_NAME> --policy-name <POLICY_NAME>

  4. Replace the removed policy with a more restrictive IAM policy that only grants the necessary permissions:

    aws iam put-user-policy --user-name <USER_NAME> --policy-name <POLICY_NAME> --policy-document <NEW_POLICY_JSON>

Backout Plan:

Using AWS Console:

  1. If deleting or modifying inline policies causes issues, sign in to the AWS Management Console.

  2. Navigate to the affected IAM user, group, or role.

  3. Re-attach or modify the inline policy if necessary, but ensure that any new policy granted does not provide full ":" access.

Using AWS CLI:

  1. To re-attach an inline policy, run the following command:

    aws iam put-user-policy --user-name <USER_NAME> --policy-name <POLICY_NAME> --policy-document <POLICY_DOCUMENT_JSON>

  2. Verify that the inline policy is reattached and ensure it does not have full administrative privileges.

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

3.1

Ensure that IAM inline policies do not grant full administrative privileges to prevent unnecessary and risky access.

7.1

8.1

Remove inline policies that provide full ":" access to IAM identities, ensuring policies adhere to the least privilege principle.