Skip to content

Excessive permissions are granted for IAM roles

Description

When creating and changing IAM policies in AWS, we recommend you follow the principle of least privilege (POLP). This security principle focuses on granting only the permissions required to perform a task. Practicing this principle requires developers to determine what roles (and users) will need to do, and then to build IAM policy documents that allow only those tasks.

To ensure only required privileges are entitled to existing IAM entities, Prowler:

  • Pulls data from AWS Access Advisor including information about the actions last accessed for services defined in the policy.
  • Compares service-level permission grants with the permissions that each user/role/group or policy has actually used during the past 90 days.

For example, if a role was attached to a policy, and that policy does not use all of that role's permissions, then we recommend you revoke the role.

When you click on an insight and select an IAM entity it shows a color- and symbol-coded list of permissions. This list indicates how the member's permissions will change if you apply the recommendation.

Fix - Runtime

AWS Console

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon IAM console.
  3. In the navigation pane, choose Roles.
  4. In the list of roles in your account, choose the name of the role that you want to modify.
  5. Choose the Trust relationships tab, and then choose Edit Trust Relationship.
  6. Edit the trust policy as needed. To add additional principals that can assume the role, specify them in the Principal element. For example, the following policy snippet shows how to reference two AWS accounts in the Principal element:

CLI Command

To detach a managed policy from a role identity use one of the following commands:
aws iam detach-role-policy

Fix - Buildtime

Terraform

  • Resource:aws_iam_role
  • Argument: assume_role_policy - (Required) The policy that grants an entity permission to assume the role.
resource "aws_iam_role" "test_role" {
  name = "test_role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF

CloudFormation

  • Resource: AWS::IAM::Role
  • Argument: Policies - Adds or updates an inline policy document that is embedded in the specified IAM role.
Type: AWS::IAM::Role
Properties: 
  AssumeRolePolicyDocument: Json
  Description: String
  ManagedPolicyArns: 
    - String
  MaxSessionDuration: Integer
  Path: String
  PermissionsBoundary: String
  Policies: 
    - Policy
  RoleName: String
  Tags: 
    - Tag