Profile Applicability:
 • Level 2

Description:

Granular policy creation in AWS IAM allows administrators to define precise permissions for users, groups, or roles, ensuring that only the minimum necessary actions are allowed on specific resources. By using granular policies, you can enforce the principle of least privilege, restricting access to only the required services and actions.

Rationale:

Creating granular IAM policies reduces the risk of over-permissioned users, which can lead to security vulnerabilities. Fine-grained access control ensures that only the actions necessary for users to perform their tasks are allowed, minimizing the potential impact of a compromised account and improving security compliance.

Impact:

Pros:

  • Ensures least privilege by limiting access to the minimum necessary actions

  • Increases security by reducing the attack surface

  • Improves compliance with security standards by enforcing precise permissions

  • Easier to audit permissions and monitor access logs

Cons:

  • Granular policies can become complex to manage, especially at scale

  • Requires expertise in understanding the required permissions for each resource

  • May inadvertently restrict access if not properly defined

Default Value:

By default, AWS provides managed policies, but they may not always offer the level of granularity required. Custom, granular policies must be created manually to ensure precise access control.

Pre-requisites:

  • IAM permissions to create and manage IAM policies

  • Understanding of AWS services, their actions, and required permissions

  • A well-defined access control strategy to ensure users are only granted permissions that are necessary for their roles

  • Familiarity with AWS IAM policy structure and syntax

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console

  2. Navigate to IAM > Policies

  3. Review all IAM policies to ensure that custom policies follow the principle of least privilege

  4. Verify that no overly permissive policies are in use, such as AdministratorAccess for users who do not require full access

  5. Check that each custom policy is scoped to the necessary AWS resources and actions

  6. Review the usage of resource-level permissions and conditions in policies to ensure precise control

Using AWS CLI:

List all policies:

aws iam list-policies --scope Local

Describe a specific policy to review its permissions:

aws iam get-policy --policy-arn <policy-arn>

Review the policy version for detailed permissions:

aws iam get-policy-version --policy-arn <policy-arn> --version-id <version-id>

Implementation Plan

Using AWS Console:

  1. Sign in to the AWS Management Console

  2. Navigate to IAM > Policies

  3. Click Create Policy

  4. Choose Create Your Own Policy (or use the visual editor for simpler cases)

  5. Define the Policy Name and Description

  6. In the Policy Document section, write a JSON document that specifies the permissions required. Example of a granular S3 access policy for listing and reading objects

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Action": [

        "s3:ListBucket",

        "s3:GetObject"

      ],

      "Resource": [

        "arn:aws:s3:::example-bucket",

        "arn:aws:s3:::example-bucket/*"

      ]

    }

  ]

}

  1. Attach the policy to the appropriate users, groups, or roles

  2. Click Create Policy

Using AWS CLI:

  1. Create a policy JSON file (e.g., s3-granular-policy.json) for the required permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
       "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::example-bucket",
        "arn:aws:s3:::example-bucket/*"
     ]
    }
  ]
}

Create the policy using the following CLI command:

aws iam create-policy --policy-name S3GranularReadOnlyPolicy --policy-document file://s3-granular-policy.json

Attach the policy to an IAM user, group, or role:

aws iam attach-user-policy --user-name <username> --policy-arn arn:aws:iam::<account-id>:policy/S3GranularReadOnlyPolicy

Backout Plan:

Using AWS Console:

  1. Navigate to IAM > Policies

  2. Select the custom granular policy to delete or modify

  3. Click Delete Policy or modify the policy if it’s too restrictive

  4. Reassign policies if necessary, and review IAM users, groups, or roles that are affected

Using AWS CLI:

Detach the policy from the user, group, or role:

aws iam detach-user-policy --user-name <username> --policy-arn arn:aws:iam::<account-id>:policy/S3GranularReadOnlyPolicy

Delete the policy:

aws iam delete-policy --policy-arn arn:aws:iam::<account-id>:policy/S3GranularReadOnlyPolicy

References: