v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 1 IAM policies should not allow full '*' administrative privileges

Description

This control checks whether the default version of AWS Identity and Access Management policies (also known as customer managed policies) do not have administrator access with a statement that has "Effect": "Allow" with "Action": "" over "Resource": "".

It only checks for the customer managed policies that you created, but does not check for full access to individual services, such as "S3:*".

It does not check for inline and AWS managed policies.

Remediation

  1. Open the IAM console.
  2. Choose Policies.
  3. Choose the radio button next to the policy to remove.
  4. From Policy actions, choose Detach.
  5. On the Detach policy page, choose the radio button next to each user to detach the policy from and then choose Detach policy.
  6. Confirm that the user that you detached the policy from can still access AWS services and resources as expected.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_iam_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_iam_1 --share

SQL

This control uses a named query:

iam_policy_custom_attached_no_star_star

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = secure_access_management
foundational_security_item_id = iam_1
plugin = aws
service = AWS/IAM