Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1598Benchmarks
674Queries
9Variables
GitHub

Control: 2.15 Ensure IAM policies that allow full "*:*" administrative privileges are not attached

Description

IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered standard security advice to grant least privilege—that is, granting only the permissions required to perform a task. Determine what users need to do, and then craft policies for them that allow the users to perform only those tasks, instead of granting full administrative privileges.

Remediation

From Console:

Perform the following to detach the policy that has full administrative privileges:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, click Policies and then search for the policy name found in the audit step.
  3. Select the policy that needs to be deleted.
  4. In the policy action menu, select Detach.
  5. Select all Users, Groups, Roles that have this policy attached.
  6. Click Detach Policy.
  7. Select the newly detached policy and select Delete.

From Command Line:

Perform the following to detach the policy that has full administrative privileges as found in the audit step:

  1. Lists all IAM users, groups, and roles that the specified managed policy is attached to.
aws iam list-entities-for-policy --policy-arn <policy_arn>
  1. Detach the policy from all IAM Users:
aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>
  1. Detach the policy from all IAM Groups:
aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>
  1. Detach the policy from all IAM Roles:
aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>

Default Value:

By default, AWS allows the creation and attachment of IAM policies that grant full administrative privileges (i.e., "Effect": "Allow", "Action": "", "Resource": ""). No restriction exists unless enforced through organizational policy or service control policies (SCPs).

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v600_2_15

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v600_2_15 --share

SQL

This control uses a named query:

with star_access_policies as (
  select
    arn,
    is_aws_managed,
    count(*) as num_bad_statements
  from
    aws_iam_policy,
    jsonb_array_elements(policy_std -> 'Statement') as s,
    jsonb_array_elements_text(s -> 'Resource') as resource,
    jsonb_array_elements_text(s -> 'Action') as action
  where
    s ->> 'Effect' = 'Allow'
    and resource = '*'
    and (
      (action = '*'
      or action = '*:*'
      )
    )
    and is_attached
  group by
    arn,
    is_aws_managed
)
select
  p.arn as resource,
  case
    when s.arn is not null and s.is_aws_managed then 'info'
    when s.arn is null then 'ok'
    else 'alarm'
  end status,
  case
    when s.arn is not null and s.is_aws_managed then p.name || ' is an AWS managed policy with ' || coalesce(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".'
    else p.name || ' contains ' || coalesce(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".'
  end as reason
  
  , p.account_id
from
  aws_iam_policy as p
  left join star_access_policies as s on p.arn = s.arn
where
  p.is_attached;

Tags

category = Compliance
cis = true
cis_item_id = 2.15
cis_level = 1
cis_section_id = 2
cis_type = automated
cis_version = v6.0.0
plugin = aws
service = AWS/IAM