iCompaas Support

 Profile Applicability:

• Level 1

Description:
Ensure that permissions granted to IAM users, roles, and Aurora database accounts follow the principle of least privilege—only allowing the minimum access required to perform necessary functions.

Rationale:
 Applying least privilege limits the potential damage caused by accidental or malicious actions. It reduces the attack surface and helps maintain strong access control practices, both in IAM and within the database.

Impact:
 Careful permission scoping requires additional administrative effort, but it significantly improves security by avoiding overly permissive access.

Default Value:
 By default, IAM users and database users may be granted broad privileges unless explicitly restricted.

Pre-requisites:

• IAM access with permissions to view users, roles, and policies
  

• Access to the Aurora database for reviewing user privileges
  

Remediation:

Test Plan

Using AWS Console:

1. Sign in to the AWS Management Console
   

2. Navigate to IAM > Users and Roles
   

3. Review attached policies for each IAM identity
   

4. Verify permissions are scoped to specific services and actions
   

5. Connect to the Aurora DB via MySQL/PostgreSQL client
   

6. Run SHOW GRANTS FOR '<username>'@'<host>'; and confirm only required privileges are granted
   

Using AWS CLI:

1. List all IAM users
   

    aws iam list-users

   
   

2. List all IAM roles
   

    aws iam list-roles

   
   

3. List attached policies for a user
   

    aws iam list-attached-user-policies --user-name <username>

   
   

4. List attached policies for a role
   

    aws iam list-attached-role-policies --role-name <rolename>

   
   

5. Review policy contents
   

    aws iam get-policy-version --policy-arn <policy-arn> --version-id <version-id>

   
   

Implementation Plan

Using AWS Console:

1. Sign in to the AWS Console
   

2. Go to IAM > Users or IAM > Roles
   

3. Click the target user or role
   

4. Remove broad policies like AdministratorAccess
   

5. Attach fine-grained, least privilege policies (e.g., AmazonRDSReadOnlyAccess)
   

6. Log into the Aurora database
   

7. Create a new database user if needed
   

8. Grant only required privileges using SQL:
    GRANT SELECT, INSERT ON <database>.* TO '<username>'@'<host>';
   

Using AWS CLI:

1. Detach broad policy
   

    aws iam detach-user-policy --user-name <username> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

   
   

2. Attach least privilege policy

   aws iam attach-user-policy --user-name <username> --policy-arn arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess

   
   

3. Log in to the Aurora database and run:
   

    CREATE USER '<username>'@'<host>' IDENTIFIED BY '<password>';
    GRANT SELECT, INSERT ON <database>.* TO '<username>'@'<host>';

   
   

Backout Plan

Using AWS Console:

1. Navigate to IAM > Users or Roles
   

2. Remove least privilege policy
   

3. Re-attach the previously used policy (if required)
   

4. Connect to the database
   

5. Revoke restricted privileges or drop the user
   

Using AWS CLI:

1. Detach least privilege policy
   

   aws iam detach-user-policy --user-name <username> --policy-arn arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess

   
   

2. Re-attach old policy
   

    aws iam attach-user-policy --user-name <username> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

   
   

3. Revoke or drop the user in Aurora:
   

    REVOKE ALL PRIVILEGES ON <database>.* FROM '<username>'@'<host>';
    DROP USER '<username>'@'<host>';

   
   

References:

• AWS Identity and Access Management

• IAM database authentication

• CIS AWS Database Services Benchmark v1.0.0, Section 2.8