iCompaas Support

Profile Applicability:
Level 1

Description:
This control ensures that IAM users, groups, or roles do not have AWS-managed policies granting full administrative privileges such as "Action": "*" and "Resource": "*". Policies like AdministratorAccess and similar full-access policies give unrestricted control over all AWS resources, increasing the risk of accidental misconfigurations, privilege escalation, or malicious activity if credentials are compromised.

Rationale:
Limiting administrative privileges is a key principle of least privilege access. Attaching overly permissive AWS-managed policies like AdministratorAccess bypasses granular security controls, making it easier for attackers to exploit accounts or modify critical configurations. Restricting such privileges and instead using custom, scoped-down IAM policies reduces security exposure and helps meet compliance standards such as CIS, SOC 2, ISO 27001, and NIST 800-53.

Impact:
Positive Impact: Enforces least privilege by preventing excessive access, thereby reducing the risk of privilege misuse or unauthorized changes across AWS accounts.
Negative Impact: May require creating and maintaining custom IAM policies to replace AWS-managed full-access policies.

Default Value:
By default, AWS does not attach any AWS-managed full administrative policies to IAM entities; such attachments must be done manually by administrators.

Pre-Requisite:

• IAM permissions required: iam:ListAttachedUserPolicies, iam:ListAttachedRolePolicies, and iam:ListAttachedGroupPolicies.

• Awareness of business roles that genuinely require administrative privileges.
  
  

Test Plan 
Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to IAM → Users, Groups, and Roles.

3. For each entity, review the Permissions policies section.

4. Check for attached AWS-managed policies such as:

   • AdministratorAccess

   • PowerUserAccess

   • Any other policy granting "Action": "*" on "Resource": "*".

5. If any of these are attached to non-admin or service roles, the configuration is non-compliant.
   
   

Implementation Plan 
Using AWS Console:

1. Navigate to IAM → Users, Groups, or Roles.

2. Select the entity with the attached AWS-managed full-access policy (e.g., AdministratorAccess).

3. Under the Permissions tab, choose Detach policy for AdministratorAccess.

4. Create or attach a custom policy with scoped permissions that align with the entity’s job or system function.

5. Save changes and verify that only required permissions are granted.
   
   

Backout Plan:

1. If access issues occur after removing full-access policies, temporarily reattach the policy to restore service functionality.

2. Review the required permissions and reapply a properly scoped custom policy to avoid long-term dependency on full-access permissions.
   
   

References:

• AWS Managed Policies Documentation

• CIS AWS Foundations Benchmark v2.0.0 – Control 1.24

• AWS Security Best Practices for IAM

• NIST 800-53 AC-6 – Least Privilege Principle