Profile Applicability

  • Level 1

Description:

IAM policies that allow the *:* wildcard (e.g., "Action": "*", "Resource": "*") grant full administrative access to all AWS services and resources. While such policies may be convenient for managing permissions in a broad manner, they violate the principle of least privilege, which suggests granting users the minimum permissions necessary to perform their job. Allowing full administrative privileges without restrictions increases the risk of unauthorized access, malicious activity, or accidental resource mismanagement.

By ensuring that IAM policies do not contain *:* wildcards, organizations can enforce stricter access controls, ensuring that only authorized users have access to specific resources with the necessary permissions.

Rationale:

Ensuring that IAM policies do not allow full administrative privileges provides the following benefits:

  • Security: Restricts unnecessary access, reducing the risk of unauthorized access or malicious actions.

  • Compliance: Helps meet compliance standards (e.g., HIPAA, PCI-DSS) that require the principle of least privilege and controlled access to resources.

  • Reduced risk of misconfiguration: Limits the ability to make broad and potentially damaging changes to AWS resources.

  • Auditability: Makes it easier to track and monitor permissions, ensuring that users have access only to the resources they need.

Without restricting *:* wildcard policies, users may inadvertently or intentionally gain full access to sensitive resources, leading to potential data breaches or disruptions.

Impact:

Failure to remove policies with full administrative privileges (*:*) can result in:

  • Unrestricted access to sensitive data and AWS resources.

  • Security vulnerabilities due to over-permissioned accounts.

  • Non-compliance with regulatory and security standards requiring the application of least-privilege principles.

By removing *:* policies, organizations can ensure that access to AWS services and resources is tightly controlled and limited to necessary actions only.

Default Value:

By default, AWS does not attach *:* policies to IAM users, groups, or roles unless explicitly configured. However, if such a policy is attached, it allows full access to all AWS services and resources.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • iam:ListPolicies

    • iam:DetachUserPolicy

    • iam:ListAttachedUserPolicies

    • iam:ListAttachedRolePolicies

    • iam:ListAttachedGroupPolicies

  • IAM roles, users, and policies must be accessible for review and modification

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the IAM Console.

  2. Navigate to Policies and search for any policies that contain *:* in the Action or Resource fields.

  3. Review any policies that allow full administrative access, such as AdministratorAccess, and assess whether these should be restricted or removed for specific users, groups, or roles.

  4. Review attached policies for users, groups, or roles to ensure no policies with broad *:* permissions are being used.

Using AWS CLI:

aws iam list-attached-user-policies --user-name <username> --query "AttachedPolicies[?PolicyName=='AdministratorAccess']" --output table

To check the policy document for the *:* permissions:

aws iam get-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

aws iam get-policy-version --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --version-id <version-id>
Implementation Plan:

Using AWS Console:

  1. Remove or modify policies that allow *:* access:

    • Go to the IAM Console.

    • Under Policies, identify policies with "Action": "*" and "Resource": "*".

    • Either remove these policies from users, groups, or roles or modify the policies to restrict access to specific resources.

  2. Create more restrictive policies:

    • Create custom policies that limit access to only the required services and actions, following the principle of least privilege.

    • Attach these new policies to users, groups, or roles as necessary.

Using AWS CLI:

  1. Detach policies with *:* permissions from users, groups, or roles:

aws iam detach-user-poliy --user-name <username> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

  1. Remove or replace *:* policies with more restrictive custom policies:

    • Use the aws iam create-policy command to create new, restricted policies.

    • Attach these new policies using aws iam attach-user-policy, aws iam attach-role-policy, or aws iam attach-group-policy.

  2. Check all policies for *:* permissions:

aws iam list-policies --query "Policies[?PolicyName=='AdministratorAccess']" --output table


Backout Plan:

Using AWS Console:

  1. If removing the *:* policy causes issues with legitimate access:

    • Go to the IAM Console.

    • Reattach the removed *:* policy (e.g., AdministratorAccess) to the affected IAM user, group, or role.

  2. Modify IAM permissions to balance security with functionality as necessary, ensuring the least privilege is maintained.

Using AWS CLI:

  1. Reattach the *:* policy if required:

aws iam attach-user-policy --user-name <username> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

  1. Revert any restrictive policy changes that caused access issues and review IAM permissions for fine-tuning.

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services