turbot/steampipe-mod-aws-compliance

Control: Ensure IAM policies that allow full "*:*" administrative privileges are not attached

Description

IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.iam_policy_all_attached_no_star_star

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.iam_policy_all_attached_no_star_star --share

SQL

This control uses a named query:

with star_access_policies as (
select
arn,
is_aws_managed,
count(*) as num_bad_statements
from
aws_iam_policy,
jsonb_array_elements(policy_std -> 'Statement') as s,
jsonb_array_elements_text(s -> 'Resource') as resource,
jsonb_array_elements_text(s -> 'Action') as action
where
s ->> 'Effect' = 'Allow'
and resource = '*'
and (
(action = '*'
or action = '*:*'
)
)
and is_attached
group by
arn,
is_aws_managed
)
select
p.arn as resource,
case
when s.arn is not null and s.is_aws_managed then 'info'
when s.arn is null then 'ok'
else 'alarm'
end status,
case
when s.arn is not null and s.is_aws_managed then p.name || ' is an AWS managed policy with ' || coalesce(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".'
else p.name || ' contains ' || coalesce(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".'
end as reason
, p.account_id
from
aws_iam_policy as p
left join star_access_policies as s on p.arn = s.arn
where
p.is_attached;

Tags