Skip to content

Excessive permissions are granted for IAM users

Description

When creating and changing IAM policies in AWS, we recommend you follow the principle of least privilege (POLP). This security principle focuses on granting only the permissions required to perform a task. Practicing this principle requires developers to determine what users (and roles) will need to do, and then to build IAM policy documents that allow only those tasks.

To ensure only required privileges are entitled to existing IAM entities, Prowler:

  • Pulls data from AWS Access Advisor including information about the actions last accessed for services defined in the policy.
  • Compares service-level permission grants with the permissions that each user/role/group or policy has actually used during the past 90 days.

For example, if a role was attached to a policy, and that policy does not use all of that role's permissions, then we recommend you revoke the role.

When you click on an insight and select an IAM entity it shows a color- and symbol-coded list of permissions. This list indicates how the member's permissions will change if you apply the recommendation.

Fix - Runtime

AWS Console

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon IAM console.
  3. In the navigation pane, choose Users.
  4. Choose the name of the user whose permissions boundary you want to remove.
  5. Choose the Permissions tab.
  6. If you want to revoke permissions by removing an existing policy, view the Policy type to understand how the user is getting that policy before choosing X to remove the policy.

CLI Command

To detach a managed policy from a user identity use one of the following command:
aws iam detach-user-policy

Fix - Buildtime

Terraform

  • Resource:aws_iam_user_policy
  • Argument: policy 
resource "aws_iam_user_policy" "lb_ro" {
  name = "test"
  user = aws_iam_user.lb.name

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
-      "Resource": "*"
    }
  ]
}
EOF
}

CloudFormation

  • Resource: AWS::IAM::User
  • Argument: Policies - Adds or updates an inline policy document that is embedded in the specified IAM user. To view AWS::IAM::User snippets, see Declaring an IAM User Resource. 
Type: AWS::IAM::User
Properties: 
  Groups: 
    - String
  LoginProfile: 
    LoginProfile
  ManagedPolicyArns: 
    - String
  Path: String
  PermissionsBoundary: String
  Policies: 
    - Policy
  Tags: 
    - Tag
  UserName: String