Profile Applicability

  • Level 1

Description:

IAM (Identity and Access Management) policies define permissions for AWS users, groups, and roles, dictating what actions can be performed on AWS resources. Monitoring IAM policy changes is crucial to ensure that any modifications to these permissions are intentional, authorized, and compliant with security policies.

Changes to IAM policies, such as the creation, deletion, or modification of policies, can introduce security risks if not properly monitored. These changes can potentially grant excessive permissions or revoke critical access. Monitoring IAM policy changes ensures that any security-related adjustments are tracked and verified.

Rationale:

Unauthorized or accidental modifications to IAM policies can lead to:

  • Granting excessive permissions to users or roles, violating the principle of least privilege.

  • Allowing unauthorized access to sensitive AWS resources.

  • Violations of compliance requirements (e.g., SOC 2, HIPAA, PCI DSS).

By monitoring changes to IAM policies, organizations can maintain control over access permissions and ensure that only authorized personnel are modifying access controls.

Impact:

Failure to monitor IAM policy changes can result in:

  • Uncontrolled access to AWS resources.

  • Security breaches due to unauthorized changes to user roles or permissions.

  • Non-compliance with regulatory requirements.

Monitoring IAM policy changes allows organizations to detect unauthorized modifications and respond quickly to potential security threats.

Default Value:

By default, AWS does not automatically monitor IAM policy changes, but these changes can be captured through AWS CloudTrail and AWS Config. CloudTrail logs all IAM API calls, including changes to IAM policies, and AWS Config can track IAM configuration changes.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • iam:ListPolicies

    • cloudtrail:LookupEvents

    • config:DescribeConfigurationRecorder

  • AWS CloudTrail and AWS Config enabled across all AWS regions for monitoring policy changes

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the CloudTrail Console.

  2. Ensure that Management Events are enabled to capture changes to IAM policies (e.g., CreatePolicyAttachRolePolicy).

  3. Go to the AWS Config Console and verify that the Configuration Recorder is active and tracking IAM policy changes.

  4. Review CloudTrail logs to ensure that IAM policy changes are captured.

Using AWS CLI:

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventSource,AttributeValue=iam.amazonaws.com --query "Events[?EventName=='CreatePolicy' || EventName=='AttachRolePolicy' || EventName=='PutRolePolicy']" --output table

To verify if AWS Config is tracking IAM policy changes:

aws configservice describe-configuration-recorders --query "ConfigurationRecorders[?recordingGroup.allSupported==`true`].{Name:name, RecordingGroup:recordingGroup}" --output table
Implementation Plan:

Using AWS Console:

  1. Verify CloudTrail logging for IAM policy changes:

    • Go to the CloudTrail Console.

    • Ensure Management Events are enabled, particularly for IAM-related events like CreatePolicyAttachRolePolicy, or PutRolePolicy.

    • Make sure logs are stored in an S3 bucket for long-term access

  2. Enable AWS Config to track IAM policy changes:

    • Go to the AWS Config Console.

    • Enable the Configuration Recorder and ensure that IAM policies are included in the configuration recording.

Using AWS CLI:

  1. Verify CloudTrail is logging IAM policy changes:

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventSource,AttributeValue=iam.amazonaws.com --query "Events[?EventName=='CreatePolicy' || EventName=='AttachRolePolicy' || EventName=='PutRolePolicy']" --output table

  1. Enable AWS Config to monitor IAM policy changes:

aws configservice record-configuration-changes --configuration-recorder-name <recorder-name> --include-configuration-item-types "AWS::IAM::Policy"

Backout Plan:

Using AWS Console:

  1. If monitoring IAM policy changes causes excessive logging or performance issues:

    • Go to the CloudTrail Console.

    • Modify Management Events settings to log fewer IAM policy events or exclude non-critical changes.

    • Optionally, adjust the frequency of event logging or exclude IAM events that are not directly related to policy changes.

  2. Modify AWS Config settings to exclude IAM policies from being tracked if they create performance or resource consumption issues.

Using AWS CLI:

  1. Temporarily disable CloudTrail logging:

aws cloudtrail update-trail --name <trail-name> --no-log-management-events

  1. Stop AWS Config recording IAM policy changes:

aws configservice stop-configuration-recorder --configuration-recorder-name <recorder-name>

  1. Re-enable monitoring once issues are resolved:

aws cloudtrail update-trail --name <trail-name> --log-management-events
aws configservice start-configuration-recorder --configuration-recorder-name <recorder-name>

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services