Control: 2.15 Ensure IAM policies that allow full "*:*" administrative privileges are not attached
Description
IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered standard security advice to grant least privilege—that is, granting only the permissions required to perform a task. Determine what users need to do, and then craft policies for them that allow the users to perform only those tasks, instead of granting full administrative privileges.
Remediation
From Console:
Perform the following to detach the policy that has full administrative privileges:
- Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
- In the navigation pane, click Policies and then search for the policy name found in the audit step.
- Select the policy that needs to be deleted.
- In the policy action menu, select
Detach
. - Select all Users, Groups, Roles that have this policy attached.
- Click
Detach Policy
. - Select the newly detached policy and select
Delete
.
From Command Line:
Perform the following to detach the policy that has full administrative privileges as found in the audit step:
- Lists all IAM users, groups, and roles that the specified managed policy is attached to.
aws iam list-entities-for-policy --policy-arn <policy_arn>
- Detach the policy from all IAM Users:
aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>
- Detach the policy from all IAM Groups:
aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>
- Detach the policy from all IAM Roles:
aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>
Default Value:
By default, AWS allows the creation and attachment of IAM policies that grant full administrative privileges (i.e., "Effect": "Allow", "Action": "", "Resource": ""). No restriction exists unless enforced through organizational policy or service control policies (SCPs).
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v600_2_15
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v600_2_15 --share
SQL
This control uses a named query:
with star_access_policies as ( select arn, is_aws_managed, count(*) as num_bad_statements from aws_iam_policy, jsonb_array_elements(policy_std -> 'Statement') as s, jsonb_array_elements_text(s -> 'Resource') as resource, jsonb_array_elements_text(s -> 'Action') as action where s ->> 'Effect' = 'Allow' and resource = '*' and ( (action = '*' or action = '*:*' ) ) and is_attached group by arn, is_aws_managed)select p.arn as resource, case when s.arn is not null and s.is_aws_managed then 'info' when s.arn is null then 'ok' else 'alarm' end status, case when s.arn is not null and s.is_aws_managed then p.name || ' is an AWS managed policy with ' || coalesce(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' else p.name || ' contains ' || coalesce(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' end as reason , p.account_idfrom aws_iam_policy as p left join star_access_policies as s on p.arn = s.arnwhere p.is_attached;