Control: 1.15 Ensure RAM policies that allow full "*:*" administrative privileges are not created
Description
RAM policies represent permissions that can be granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege—that is, granting only the permissions required to perform tasks. Determine what users need to do and then create policies with permissions that only fit those tasks, instead of allowing full administrative privileges.
Remediation
Perform the following to detach the policy that has full administrative privileges and remove them:
Using the management console:
- Logon to RAM console.
- Choose
Permissions > Policies. - From the
Policy Typedrop-down list, selectCustom Policy. - In the
Policy Namecolumn, click the name of the target policy. - In the
Policy Documentsection, check whether the policy has a statement that includes"Effect": "Allow","Action": "*"(or"*:*"), and"Resource": "*".- If it does not, skip this section.
- If it does, edit the policy to remove such statement or remove the policy from any RAM users, user groups, or roles that have this policy attached.
- To edit the policy:
- On the
Policy Documenttab, clickModify Policy Document.
- On the
- Remove the entire
Statementelement that grants"Action": "*"(or"*:*") on"Resource": "*", or modify it to the least privileges required. - To remove all references from the policy:
- Go to the
Referencestab, review if there is any reference of the custom policy. - For each reference, click
Revoke Permission.
- Go to the
- To edit the policy:
- Click
OK.
Using the CLI:
- Run the following command to list all RAM users, groups, and roles to which the specified policy (i.e. policy with .) is attached:
aliyun ram ListEntitiesForPolicy --PolicyName <policy_name> --PolicyType Custom
- Run the following command to detach the policy from all RAM users:
aliyun ram DetachPolicyFromUser --PolicyName <policy_name> --PolicyType Custom --UserName <ram_user>
- Run the following command to detach the policy from all RAM user groups:
aliyun ram DetachPolicyFromGroup --PolicyName <policy_name> --PolicyType Custom --GroupName <ram_group>
- Run the following command to detach the policy from all RAM roles:
aliyun ram DetachPolicyFromRole --PolicyName <policy_name> --PolicyType Custom --RoleName <ram_role>
Default Value:
By default, no custom policy is created.
Usage
Run the control in your terminal:
powerpipe control run alicloud_compliance.control.cis_v200_1_15Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run alicloud_compliance.control.cis_v200_1_15 --shareSQL
This control uses a named query:
with policy_statements as ( select p.account_id, p.policy_name, jsonb_array_elements(coalesce(p.policy_document_std -> 'Statement', '[]'::jsonb)) as statement from alicloud_ram_policy as p),wildcard_policies as ( select account_id, policy_name from policy_statements where lower(coalesce(statement ->> 'Effect', '')) = 'allow' and ( (jsonb_typeof(statement -> 'Action') = 'array' and (statement -> 'Action') ?| array['*', '*:*']) or (jsonb_typeof(statement -> 'Action') = 'string' and statement ->> 'Action' in ('*', '*:*')) ) and ( (jsonb_typeof(statement -> 'Resource') = 'array' and (statement -> 'Resource') ? '*') or (jsonb_typeof(statement -> 'Resource') = 'string' and statement ->> 'Resource' = '*') ))select 'acs:ram::' || p.account_id || ':policy/' || p.policy_name as resource, case when w.policy_name is null then 'ok' else 'alarm' end as status, case when w.policy_name is null then p.policy_name || ' does not allow full administrative privileges.' else p.policy_name || ' allows all actions on all resources.' end as reason , p.account_id as account_idfrom alicloud_ram_policy as p left join wildcard_policies as w on p.account_id = w.account_id and p.policy_name = w.policy_name;