Description:

IAM (Identity and Access Management) in AWS allows users and roles to be granted permissions to access AWS resources. IAM roles can be assigned policies that define the level of access to AWS resources. The AdministratorAccess policy is an AWS-managed policy that grants full administrative permissions across all AWS services. Attaching this policy to a role should be avoided unless absolutely necessary, as it provides unrestricted access to all resources, increasing the risk of security vulnerabilities.

Rationale:

Granting AdministratorAccess to IAM roles provides full control over AWS resources, which may violate the principle of least privilege. It's essential to restrict administrative privileges to only those who absolutely need it in order to minimize the risk of accidental or malicious misuse of the AWS environment. Ensuring that roles do not have this policy helps to reduce the attack surface and enhances security.

Impact:

If an IAM role has the AdministratorAccess policy attached:

  • It grants full access to all AWS resources, including critical configurations and sensitive data.

  • It violates security best practices by granting unnecessary privileges.

  • May result in non-compliance with standards like ISO 27001, SOC 2.

Default Value:

By default, IAM roles do not have the AdministratorAccess policy attached. However, administrators may sometimes attach it unintentionally, which increases the risk of unauthorized access to critical resources.

Pre-requisites:

  • Access to AWS Management Console or AWS CLI with sufficient IAM permissions.

  • Knowledge of IAM roles and policies.

  • Understanding of security best practices, such as the principle of least privilege.

Remediation:

Test Plan:

Using AWS Console:

  1. Login to the AWS Management Console.

  2. Navigate to Roles in  AWS IAM console.

  3. Navigate to IAM > Roles in the AWS Management Console.

  4. Review the list of IAM roles.

  5. Select each role and navigate to the Permissions tab.

  6. Check if the AdministratorAccess policy is attached to the role.

  7. If the policy is attached, verify whether the role truly requires full administrative access.

  8. Remove the AdministratorAccess policy from any roles where it is not required.

Using AWS CLI:

  1. List all IAM roles using the following command:

    aws iam list-roles

  2. For each IAM role, check the attached policies:

    aws iam list-attached-role-policies --role-name <ROLE_NAME>

  3. Review the list of attached policies and check if AdministratorAccess is among them.

  4. If the AdministratorAccess policy is found, decide whether it should be detached based on the user's role.

  5. Detach the AdministratorAccess policy if it is not required:

    aws iam detach-role-policy --role-name <ROLE_NAME> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

Implementation Plan:

Using AWS Console:

  1. Login to the AWS Management Console.

  2. Navigate to Roles in  AWS IAM console

  3. Check in the permissions tab to each role to check for the AdministratorAccess policy.

  1. If a role has the AdministratorAccess policy and it is not required for the user, Remove the policy.

  1. Modify the role to follow the principle of least privilege, assigning only the necessary permissions for that role.

Using AWS CLI:

  1. Run the  command to identify all IAM roles.                                                                                                                        

    aws iam list-roles

  2. For each role, check if the AdministratorAccess policy is attached using the command                                               

     aws iam list-attached-role-policies

  3. If the AdministratorAccess policy is attached to any role that does not require it, detach it using:

    aws iam detach-role-policy --role-name <ROLE_NAME> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

Backout Plan:

If any issues occur after detaching the AdministratorAccess policy, you can:

Reattach the AdministratorAccess policy to the affected role using:

aws iam attach-role-policy --role-name <ROLE_NAME> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

Ensure the role is restored to its original state if needed.

Review other roles to ensure no other issues with excessive permissions.

Note :

Consider applying a more restrictive policy tailored to the specific needs of the role, and regularly review permissions to ensure they align with security best practices.

Reference: