Profile Applicability:

  • Level 2

Description:
 In AWS, IAM roles allow external entities, including users and AWS services, to assume roles in order to perform actions on your resources. The ReadOnlyAccess policy grants read-only access to all AWS resources, meaning the entity assuming the role can view but cannot modify resources.

When granting IAM roles to external AWS accounts (e.g., third-party contractors, services from other AWS accounts), it is critical to ensure that the ReadOnlyAccess policy is not applied inappropriately. Providing read-only permissions to external accounts can potentially allow them to access sensitive resources without the ability to modify them, but it also opens the door for information exposure or data scraping.

Rationale:
 Allowing ReadOnlyAccess to external AWS accounts should be done cautiously and with very specific use cases. Over-granting permissions to external accounts can create security risks, particularly when the external account could gain access to sensitive data without being able to make modifications. It is a best practice to apply the least privilege principle and only provide external accounts with the minimum permissions necessary for their tasks. If external access is required, it should be tightly controlled and monitored.

Impact:
 Pros:

  • Reduced risk of exposing sensitive resources or data to external accounts.

  • Strengthened security by ensuring external accounts are only granted the permissions they need.

  • Prevents over-permissioning, aligning access controls with the principle of least privilege.

  • Improved auditability of access to sensitive AWS resources.

Cons:

  • Requires more detailed review and configuration of IAM roles and policies.

  • Could impact workflows if the ReadOnlyAccess policy was being used for legitimate purposes with external accounts.

Default Value:
 By default, IAM roles do not grant ReadOnlyAccess for external AWS accounts unless explicitly configured.

Pre-requisites:

  • AWS IAM permissions to manage IAM roles, policies, and external account trust relationships:
    iam:ListRoles
    iam:ListAttachedRolePolicies
    iam:DetachRolePolicy
    iam:AttachRolePolicy
    iam:GetRolePolicy
     iam:UpdateAssumeRolePolicy

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console using an IAM user or role with administrative privileges (NOT the root account).

  2. Navigate to IAM and select Roles.

  3. Review the list of IAM roles to check if any roles have the ReadOnlyAccess policy attached.

  4. For each IAM role, review the permissions policies associated with the role:

    • In the Permissions tab, verify if ReadOnlyAccess or a similar read-only policy is attached.

    • If the ReadOnlyAccess policy is attached to a role that allows external AWS accounts to assume the role, either delete or modify the policy to restrict access.

  5. Check the Trust Relationships for each role to see if any external AWS accounts are allowed to assume the role. If external accounts do not need read-only access, adjust the role’s permissions accordingly.

Using AWS CLI:

  1. List all IAM roles:

    aws iam list-roles

  2. For each role, list the attached policies:

    aws iam list-attached-role-policies --role-name <ROLE_NAME>

  3. Review the attached policies. If ReadOnlyAccess is found, ensure that it is not assigned to external AWS accounts:

    aws iam get-role-policy --role-name <ROLE_NAME> --policy-name <POLICY_NAME>

  4. If ReadOnlyAccess is attached, remove it or modify the policy:

    aws iam detach-role-policy --role-name <ROLE_NAME> --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess

  5. Verify that external AWS accounts are not mistakenly granted the ReadOnlyAccess policy by checking the Assume Role Policy:

    aws iam get-role --role-name <ROLE_NAME>

Implementation Plan:

Using AWS Console:

  1. Open the IAM Console and navigate to Roles.

  2. Select any role with the ReadOnlyAccess policy attached.

  3. In the Permissions tab, click Detach Policy to remove ReadOnlyAccess.

  4. Review the Trust Relationship for each role to ensure that only the appropriate accounts have permissions to assume the role.

  5. Save the changes and ensure that no external AWS accounts have read-only access unless specifically required.

Using AWS CLI:

  1. To detach ReadOnlyAccess from an IAM role, run:

    aws iam detach-role-policy --role-name <ROLE_NAME> --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess

  2. Verify that the ReadOnlyAccess policy is removed:

    aws iam list-attached-role-policies --role-name <ROLE_NAME>

  3. Review the role's AssumeRolePolicyDocument to ensure that external AWS accounts are not granted excessive privileges:

    aws iam get-role --role-name <ROLE_NAME>

Backout Plan:

Using AWS Console:

  1. If removing ReadOnlyAccess causes issues or interrupts access, sign in to the AWS Management Console.

  2. Navigate to the affected IAM role and reattach the ReadOnlyAccess policy if required.

  3. Ensure that the policy is attached only for the intended users or external accounts.

Using AWS CLI:

  1. If ReadOnlyAccess needs to be reattached to a role, run:

    aws iam attach-role-policy --role-name <ROLE_NAME> --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess

  2. Verify that the policy is attached successfully:

    aws iam list-attached-role-policies --role-name <ROLE_NAME>

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

3.1

Ensure IAM roles do not have the ReadOnlyAccess policy attached for external AWS accounts to prevent over-permissioning and unauthorized access.

7.1

8.1

Follow the least privilege principle by limiting external access to IAM roles and preventing the use of ReadOnlyAccess inappropriately.