Profile Applicability:

  • Level 2

Description:

IAM (Identity and Access Management) allows the creation of both customer-managed policies and inline policies. Inline policies are directly embedded within IAM roles, groups, or users. Privilege escalation occurs when a user or entity gains higher levels of access than they were initially assigned, typically through actions that modify permissions. This SOP ensures that inline policies are regularly reviewed to prevent actions that could lead to privilege escalation, maintaining security and control over access management.

Rationale:

Privilege escalation can occur if inline policies are overly permissive or allow actions like attaching policies, modifying user permissions, or assuming roles with elevated privileges. Such actions can inadvertently grant higher-level permissions to unauthorized users. Ensuring no inline policies allow privilege escalation reduces the risk of unauthorized access and maintains a secure and compliant AWS environment.

Impact:

If an inline policy allows privilege escalation:

  • It may allow users or roles to perform unauthorized actions, such as modifying IAM roles or policies.

  • It can lead to unintended administrative access, potentially allowing malicious or accidental security breaches.

  • Violates the principle of least privilege and can lead to non-compliance with security standards such as SOC 2, ISO 27001, and others.

Default Value:

By default, IAM inline policies are not set to grant actions that could result in privilege escalation unless explicitly configured. However, incorrect policy assignments or insufficient reviews can lead to dangerous configurations.

Pre-requisites:

  • Access to AWS Management Console or AWS CLI with sufficient IAM permissions.

  • Familiarity with IAM inline policies and the risks of privilege escalation.

  • Understanding the principle of least privilege and AWS security best practices.

Remediation:

Test Plan:

Using AWS Console:

  1. Login to the AWS Management Console.

  2. Navigate to Users/Roles in the AWS IAM console.

  3. For each IAM user, group, and role, go to the Permissions tab.

  4. Under Inline Policies, review the policies attached to each user, group, or role.

  5. Check the policy JSON for any actions that allow modifying IAM resources (e.g., iam:AttachUserPolicy, iam:PutRolePolicy, iam:PassRole, iam:CreatePolicy, etc.) or granting excessive privileges.

  6. Remove or modify policies that allow actions potentially leading to privilege escalation.

Using AWS CLI:

  1. List all IAM users, groups, and roles with the following command:

    aws iam list-users
aws iam list-roles
aws iam list-groups

  1. For each user, group, or role, list the inline policies attached:

    aws iam list-user-policies --user-name <USER_NAME>
aws iam list-group-policies --group-name <GROUP_NAME>
aws iam list-role-policies --role-name <ROLE_NAME>

  1. Retrieve and review the inline policy for each user, group, or role:

    aws iam get-user-policy --user-name <USER_NAME> --policy-name <POLICY_NAME>
aws iam get-group-policy --group-name <GROUP_NAME> --policy-name <POLICY_NAME>
aws iam get-role-policy --role-name <ROLE_NAME> --policy-name <POLICY_NAME>

  1. Examine the JSON policy to check for actions that could allow privilege escalation (e.g., iam:AttachUserPolicy, iam:PassRole, iam:CreatePolicy).

  2. Remove or modify any policies that allow privilege escalation:

    aws iam delete-user-policy --user-name <USER_NAME> --policy-name <POLICY_NAME>
aws iam delete-group-policy --group-name <GROUP_NAME> --policy-name <POLICY_NAME>
aws iam delete-role-policy --role-name <ROLE_NAME> --policy-name <POLICY_NAME>

Implementation Plan:

Using AWS Console:

  1. Login to the AWS Management Console.

  2. Navigate to Users/Groups/roles in the AWS IAM console.

    

  1. Go to each user, group, or role, and check the attached inline policies.

  1. Click on the Inline policy and check the actions that modify IAM resources or allow users to assume higher-privilege roles.

  1. If a policy contains such permissions, remove it, ensuring that it is restricted to only the necessary actions for the user's role.

  1. Apply the principle of least privilege to restrict the scope of inline policies.

Using AWS CLI:

  1. Useto identify all IAM entities.

    aws iam list-roles, aws iam list-users, or aws iam list-groups

  2. List the inline policies attached to each entity using the corresponding commands.

    aws iam list-*

  3. For each inline policy, retrieve its details using aws iam get-* commands.

  4. Review the policy for any actions related to IAM resource modifications (e.g., iam:CreatePolicy, iam:PutRolePolicy, etc.).

  5. Remove any inline policies that allow these actions using aws iam delete-* commands.

  6. Reapply principle of least privilege to ensure only necessary permissions are granted.

Backout Plan:

Using AWS Console:

  1. If disabling or modifying inline policies causes issues for legitimate users, sign in to the AWS Management Console.

  2. Re-attach or modify the inline policy as necessary, but ensure that the modified policy does not grant privilege escalation actions.

  3. Review and verify that no user or role has excessive IAM permissions.

Using AWS CLI:

  1. If you need to re-attach an inline policy that was removed, run:

    aws iam put-user-policy --user-name <USER_NAME> --policy-name <POLICY_NAME> --policy-document <POLICY_DOCUMENT_JSON>

  2. Verify that the inline policy has been successfully reattached:

    aws iam list-inline-policies --user-name <USER_NAME>

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

3.1

Ensure IAM inline policies do not include actions that could lead to privilege escalation, such as modifying IAM policies or roles.

7.1

8.1

Apply the principle of least privilege and restrict IAM policies to only the actions required by users, roles, and services.