Control: Ensure IAM policies that allow full "*:*" administrative privileges are not attached
Description
IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.iam_policy_all_attached_no_star_star
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.iam_policy_all_attached_no_star_star --share
SQL
This control uses a named query:
with star_access_policies as ( select arn, is_aws_managed, count(*) as num_bad_statements from aws_iam_policy, jsonb_array_elements(policy_std -> 'Statement') as s, jsonb_array_elements_text(s -> 'Resource') as resource, jsonb_array_elements_text(s -> 'Action') as action where s ->> 'Effect' = 'Allow' and resource = '*' and ( (action = '*' or action = '*:*' ) ) and is_attached group by arn, is_aws_managed)select p.arn as resource, case when s.arn is not null and s.is_aws_managed then 'info' when s.arn is null then 'ok' else 'alarm' end status, case when s.arn is not null and s.is_aws_managed then p.name || ' is an AWS managed policy with ' || coalesce(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' else p.name || ' contains ' || coalesce(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' end as reason , p.account_idfrom aws_iam_policy as p left join star_access_policies as s on p.arn = s.arnwhere p.is_attached;