IAM policies that allow full administrative privileges are created
Description
IAM policies are the means by which privileges are granted to users, groups, and roles. Standard security practice is to grant least privilege‚ this is granting only the permissions required to perform a task. Providing full administrative may expose resources to potentially unwanted actions.
We recommend:
- You determine what users need to do, then craft policies allowing them to perform only those tasks.
- You do not allow all users full administrative privileges.
- You start with a minimum set of permissions and grant additional permissions as necessary.
- IAM policies that have a statement with Effect: Allow with Action: _ over Resource: _ are removed.
Fix - Runtime
AWS Console
To detach the policy that has full administrative privileges, follow these steps:
- Log in to the AWS Management Console at https://console.aws.amazon.com/.
- Open the Amazon IAM console.
- In the navigation pane, click Policies and then search for the policy name found in the audit step.
- Select the policy to be deleted.
- In the Policy Action menu, select first Detach.
- Select all Users, Groups, and Roles that have this policy attached.
- Click Detach Policy.
- In the Policy Action menu, select Detach.
CLI Command
To detach the policy that has full administrative privileges as found in the audit step, use the following commands:
- Lists all IAM users, groups, and roles that the specified managed policy is attached to.
aws iam list-entities-for-policy --policy-arn <policy_arn>
- Detach the policy from all IAM Users.
aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>
- Detach the policy from all IAM Groups.
aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>
- Detach the policy from all IAM Roles.
aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>
Fix - Buildtime
Terraform
Resource: aws_iam_policy
resource "aws_iam_policy" "pass1" {
name = "pass1"
path = "/"
policy = <<POLICY
{
"Statement": [
{
"Action": [
"s3:ListBucket*",
"s3:HeadBucket",
"s3:Get*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::b1",
"arn:aws:s3:::b1/*",
"arn:aws:s3:::b2",
"arn:aws:s3:::b2/*"
],
"Sid": ""
},
{
"Action": "s3:PutObject*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::b1/*",
"Sid": ""
}
],
"Version": "2012-10-17"
}
POLICY
}