Control: 1 IAM policies should not allow full '*' administrative privileges
Description
This control checks whether the default version of AWS Identity and Access Management policies (also known as customer managed policies) do not have administrator access with a statement that has "Effect": "Allow" with "Action": "" over "Resource": "".
It only checks for the customer managed policies that you created, but does not check for full access to individual services, such as "S3:*".
It does not check for inline and AWS managed policies.
Remediation
- Open the IAM console.
- Choose Policies.
- Choose the radio button next to the policy to remove.
- From Policy actions, choose Detach.
- On the Detach policy page, choose the radio button next to each user to detach the policy from and then choose Detach policy.
- Confirm that the user that you detached the policy from can still access AWS services and resources as expected.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_iam_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_iam_1 --shareSQL
This control uses a named query:
-- This query checks the customer managed policies having * access and attached to IAM resource(s)with star_access_policies as ( select arn, count(*) as num_bad_statements from aws_iam_policy, jsonb_array_elements(policy_std -> 'Statement') as s, jsonb_array_elements_text(s -> 'Resource') as resource, jsonb_array_elements_text(s -> 'Action') as action where not is_aws_managed and s ->> 'Effect' = 'Allow' and resource = '*' and ( (action = '*' or action = '*:*' ) ) and is_attached group by arn)select p.arn as resource, case when s.arn is null then 'ok' else 'alarm' end status, p.name || ' contains ' || coalesce(s.num_bad_statements,0) || ' statements that allow action "*" on resource "*".' as reason , p.account_idfrom aws_iam_policy as p left join star_access_policies as s on p.arn = s.arnwhere not p.is_aws_managed;