Skip to content

Excessive permissions are granted for IAM policy

Description

When creating and changing IAM policies in AWS, we recommend you follow the principle of least privilege (POLP). This security principle focuses on granting only the permissions required to perform a task. Practicing this principle requires developers to determine what users (and roles) will need to do, and then to build IAM policy documents that allow only those tasks.

To ensure only required privileges are entitled to existing IAM entities, Prowler:

  • Pulls data from AWS Access Advisor including information about the actions last accessed for services defined in the policy.
  • Compares service-level permission grants with the permissions that each user/role/group or policy has actually used during the past 90 days.

For example, if a role was attached to a policy, and that policy does not use all of that role's permissions, then we recommend you revoke the role.

When you click on an insight and select an IAM entity it shows a color- and symbol-coded list of permissions. This list indicates how the member's permissions will change if you apply the recommendation.

Fix - Runtime

AWS Console

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon IAM console.
  3. In the navigation pane, choose Policies.
  4. In the list of policies, choose the policy name of the policy to edit. You can use the Filter menu and the search box to filter the list of policies.
  5. Choose the Permissions tab, and then choose Edit Policy.

Fix - Buildtime

Terraform

  • Resource: aws_iam_policy
  • Argument: policy - (Required) The policy document. This is a JSON formatted string.
resource "aws_iam_policy" "policy" {
  name        = "test_policy"
  path        = "/"
  description = "My test policy"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

CloudFormation

  • Resource: AWS::IAM::Policy
  • Argument: PolicyDocument - Adds or updates an inline policy document that is embedded in the specified IAM group. To view AWS::IAM::Group snippets, see Declaring an IAM Group Resource.
Type: 'AWS::IAM::Policy'
Properties:
  PolicyName: CFNUsers
  PolicyDocument:
    Version: 2012-10-17
    Statement:
      - Effect: Allow
        Action:
          - 'cloudformation:Describe*'
          - 'cloudformation:List*'
          - 'cloudformation:Get*'
        Resource: '*'
  Groups:
    - !Ref CFNUserGroup