iCompaas Support

Profile Applicability:
 • Level 2

Description:

Creating AWS IAM policies allows administrators to define fine-grained permissions for AWS services and resources. Policies should be crafted to ensure least privilege access and to restrict permissions based on the roles and responsibilities of users, groups, and roles.

Rationale:

Custom IAM policies help improve security by restricting access to only the required resources. By creating policies that enforce the principle of least privilege, organizations can minimize the risk of unauthorized access, privilege escalation, and potential misuse of AWS services.

Impact:

Pros:

• Enforces the principle of least privilege

• Enhances security by restricting unnecessary permissions

• Custom policies provide precise access control over AWS services and resources

Cons:

• Complex policies may result in misconfigurations that could break services

• Requires expertise to write policies and maintain them as the environment evolves

• Increased overhead to ensure policies are kept up to date

Default Value:

AWS does not automatically create custom IAM policies; predefined AWS-managed policies are provided, but custom policies must be created manually.

Pre-requisites:

• IAM permissions to create and manage IAM policies (e.g., iam:CreatePolicy)

• Knowledge of AWS services and their corresponding permissions

• Organizational approval for custom policies if applicable

• Defined access control strategies and role definitions

Remediation:

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console

2. Navigate to IAM > Policies

3. Verify that the required custom IAM policies exist

4. Review the policy document for compliance with least privilege

5. Confirm the policy is correctly attached to the required users, roles, or groups

Using AWS CLI:

1. List existing IAM policies:

    aws iam list-policies --scope Local

2. Get the policy document for review:

    aws iam get-policy-version --policy-arn <policy-arn> --version-id <version-id>

3. List attached entities:

    aws iam list-entities-for-policy --policy-arn <policy-arn>

Implementation Plan:

Using AWS Console:

1. Go to IAM > Policies

2. Click Create Policy

3. Choose the JSON tab and define the policy document

4. Review and validate permissions

5. Name the policy clearly (e.g., S3ReadOnlyAccessPolicy)

6. Create the policy and attach it to the appropriate users, groups, or roles

Using AWS CLI:

1. Save the policy JSON to a file named policy.json. Example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    }
  ]
}

2. Create the IAM policy:

    aws iam create-policy --policy-name S3ReadOnlyAccessPolicy --policy-document file://policy.json

3. Attach the policy to a user, group, or role:

    aws iam attach-user-policy --user-name <username> --policy-arn arn:aws:iam::<account-id>:policy/S3ReadOnlyAccessPolicy

Backout Plan:

Using AWS Console:

1. Navigate to IAM > Policies

2. Search for the custom policy by name

3. Detach the policy from all users, roles, or groups

4. Delete the policy from the system

Using AWS CLI:

1. Detach the policy from a user:

   aws iam detach-user-policy --user-name <username> --policy-arn arn:aws:iam::<account-id>:policy/S3ReadOnlyAccessPolicy

2. Delete the policy:

    aws iam delete-policy --policy-arn arn:aws:iam::<account-id>:policy/S3ReadOnlyAccessPolicy

References:

• IAM Policies Overview

• Creating IAM Policies

• AWS CLI IAM Policy Documentation