Description:

IAM (Identity and Access Management) is a service provided by AWS to manage access to AWS resources securely. Customer-Managed policies are IAM policies that are created and maintained by AWS customers, providing fine-grained access control. These policies are essential for securing AWS environments, but it's important to ensure that overly permissive policies, such as those with ":" (full administrative) privileges, are not attached to users, groups, or roles. This helps prevent unintended security risks and ensures least-privilege access.

Rationale:

Allowing full ":" administrative privileges in IAM policies provides unrestricted access to all AWS resources and actions, which can lead to serious security risks if misused. The principle of least privilege dictates that users should only have access to the resources necessary for their job functions. Customer-managed policies with full administrative access should be reviewed and restricted to only trusted users and roles.

Impact:

Allowing policies with ":" administrative privileges can:

  • Expose AWS resources to unauthorized actions.

  • Lead to unintentional security breaches or accidental resource deletion.

  • Violate security best practices by granting excessive access.

  • Pose compliance issues for organizations adhering to security frameworks like SOC 2 or ISO 27001.

Default Value:

By default, IAM policies provided by AWS do not grant full administrative access. However, customer-managed policies can be configured to include ":" permissions, which can lead to unnecessary risks if not monitored.

Pre-requisites:

  • Access to AWS Management Console or AWS CLI with necessary IAM permissions.

  • Knowledge of IAM policies and their structure.

  • Understanding of the organization's security policy and least-privilege access principles.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign into AWS Management Console.

  2. Navigate to ‘Policies’ in  AWS IAM Console 

  3. Search for customer-managed policies attached to any user, group, or role.

  4. Review the JSON or visual editor for each policy to ensure that no policy contains ":" permissions.

  5. Identify any policies with full administrative access and verify if they are unnecessarily assigned.

  6. Remove or restrict policies with ":" permissions if identified.

Using AWS CLI:

List all IAM policies using the following command:

aws iam list-policies --scope Local

For each customer-managed policy, check the policy document for ":" permissions:

aws iam get-policy-version --policy-arn <policy-arn> --version-id <version-id>

  1. Inspect the Statement section of the policy to verify if ":" is included.

  2. Report any policies that grant overly broad permissions.

Implementation Plan:

Using AWS Console:

  1. Sign into AWS Management Console.

  2. Navigate to the AWS IAM Console.

  1. Go to Policies and in Filter by tab select customer-managed policies.

  1. Select the policy you want to modify and give least privilege access.

  1. Modify the policy to follow the principle of least privilege by restricting access to only necessary resources and actions.

  2. Attach or Detach any policies that grant ":" access from users, groups, or roles who do not require full administrative access.

We can delete the policy if it is not required.

Using AWS CLI:

  1. Use this command to identify all customer-managed policies.

    aws iam list-policies

  2. Get the policy details using the command

  3. aws iam get-policy-version

  4. Identify any policies that grant full administrative privileges (:).

  5. Use the  commands to remove such policies from IAM users, groups, or role

  6. aws iam delete-policy or aws iam detach-user-policy

  7. Update the policy to restrict access as needed and apply the changes.

Backout Plan:

In case of issues or unintended access restrictions after modifying IAM policies:

  1. Review the policy changes made and restore the previous versions if necessary.

  2. Re-attach any necessary policies that were accidentally removed or modified.

  3. Ensure users, groups, or roles have the appropriate permissions restored without excessive privileges.

  4. Document the restoration actions for compliance.

Note (Optional):

Ensure that the least privilege model is applied consistently across all policies, and that no one user, group, or role is granted more access than needed. Regularly review IAM policies to ensure compliance with security policies.

Reference: