🛡️ AWS IAM Policy allows full administrative privileges🟢

Contextual name: 🛡️ Policy allows full administrative privileges🟢
ID: /ce/ca/aws/iam/policy-allows-full-administrative-privileges
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS IAM Policy
- 🔌 AWS IAM Policy - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [IAM.1] IAM policies should not allow full "*" administrative privileges
Cloud Conformity: IAM Policies With Full Administrative Privileges
Internal: dec-x-157aa4b9

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-157aa4b9	1

Description

Open File

Description

IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.

Rationale

It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.

Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.

IAM policies that have a statement with "Effect": "Allow" with "Action": "*" over "Resource": "*" should be removed.

Audit

Perform the following to determine what policies are created:

From Command Line

... see more

Remediation

Open File

Remediation

From Console

Perform the following to detach the policy that has full administrative privileges:

Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

In the navigation pane, click Policies and then search for the policy name found in the audit step.

Select the policy that needs to be deleted.

In the policy action menu, select first Detach.

Select all Users, Groups, Roles that have this policy attached.

Click Detach Policy.

Select the newly detached policy and select Delete.

From Command Line

Perform the following to detach the policy that has full administrative privileges as found in the audit step:

Lists all IAM users, groups, and roles that the specified managed policy is attached to.
aws iam list-entities-for-policy --policy-arn <policy_arn>
Detach the policy from all IAM Users:
aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>
Detach the policy from all IAM Groups:
aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 APRA CPG 234 → 💼 47c segregation of duty controls which prevent personnel from deploying their own software changes to production;		5	5	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [IAM.1] IAM policies should not allow full "*" administrative privileges		1	1	no data
💼 AWS Well-Architected → 💼 COST02-BP04 Implement groups and roles			3	no data
💼 CIS AWS v1.2.0 → 💼 1.22 Ensure IAM policies that allow full ":" administrative privileges are not created		1	1	no data
💼 CIS AWS v1.3.0 → 💼 1.16 Ensure IAM policies that allow full ":" administrative privileges are not attached		1	1	no data
💼 CIS AWS v1.4.0 → 💼 1.16 Ensure IAM policies that allow full ":" administrative privileges are not attached			1	no data
💼 CIS AWS v1.5.0 → 💼 1.16 Ensure IAM policies that allow full ":" administrative privileges are not attached - Level 1 (Automated)			1	no data
💼 CIS AWS v2.0.0 → 💼 1.16 Ensure IAM policies that allow full ":" administrative privileges are not attached - Level 1 (Automated)			1	no data
💼 CIS AWS v3.0.0 → 💼 1.16 Ensure IAM policies that allow full ":" administrative privileges are not attached - Level 1 (Automated)			1	no data
💼 CIS AWS v4.0.0 → 💼 1.16 Ensure IAM policies that allow full ":" administrative privileges are not attached (Automated)			1	no data
💼 CIS AWS v4.0.1 → 💼 1.16 Ensure IAM policies that allow full ":" administrative privileges are not attached (Automated)			1	no data
💼 CIS AWS v5.0.0 → 💼 1.15 Ensure IAM policies that allow full ":" administrative privileges are not attached (Automated)			1	no data
💼 CIS AWS v6.0.0 → 💼 2.15 Ensure IAM policies that allow full ":" administrative privileges are not attached (Automated)			1	no data
💼 Cloudaware Framework → 💼 General Access Controls			11	no data
💼 FedRAMP High Security Controls → 💼 AC-2 Account Management (L)(M)(H)	10	8	38	no data
💼 FedRAMP High Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)			18	no data
💼 FedRAMP High Security Controls → 💼 AC-2(7) Privileged User Accounts (M)(H)		6	7	no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	68	no data
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	48	no data
💼 FedRAMP High Security Controls → 💼 AC-5 Separation of Duties (M)(H)			15	no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	57	no data
💼 FedRAMP High Security Controls → 💼 AC-6(2) Non-privileged Access for Nonsecurity Functions (M)(H)		1	5	no data
💼 FedRAMP High Security Controls → 💼 AC-6(3) Network Access to Privileged Commands (H)		1	2	no data
💼 FedRAMP High Security Controls → 💼 AC-6(5) Privileged Accounts (M)(H)		3	5	no data
💼 FedRAMP High Security Controls → 💼 AC-6(10) Prohibit Non-privileged Users from Executing Privileged Functions (M)(H)		1	4	no data
💼 FedRAMP High Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)	6	20	32	no data
💼 FedRAMP High Security Controls → 💼 CM-5 Access Restrictions for Change (L)(M)(H)	2	14	16	no data
💼 FedRAMP Low Security Controls → 💼 AC-2 Account Management (L)(M)(H)			4	no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			68	no data
💼 FedRAMP Low Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)			24	no data
💼 FedRAMP Low Security Controls → 💼 CM-5 Access Restrictions for Change (L)(M)(H)			8	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2 Account Management (L)(M)(H)	9		38	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)			18	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(7) Privileged User Accounts (M)(H)			7	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			68	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			48	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-5 Separation of Duties (M)(H)			15	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		57	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(2) Non-privileged Access for Nonsecurity Functions (M)(H)			5	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(5) Privileged Accounts (M)(H)			5	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(10) Prohibit Non-privileged Users from Executing Privileged Functions (M)(H)			4	no data
💼 FedRAMP Moderate Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)	2		32	no data
💼 FedRAMP Moderate Security Controls → 💼 CM-5 Access Restrictions for Change (L)(M)(H)	2		16	no data
💼 ISO/IEC 27001:2013 → 💼 A.9.1.2 Access to networks and network services		17	18	no data
💼 ISO/IEC 27001:2013 → 💼 A.9.2.3 Management of privileged access rights		3	12	no data
💼 ISO/IEC 27001:2013 → 💼 A.9.4.1 Information access restriction		19	20	no data
💼 NIST CSF v1.1 → 💼 PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes		19	34	no data
💼 NIST CSF v1.1 → 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties		17	56	no data
💼 NIST CSF v1.1 → 💼 PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)		19	23	no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	91	no data
💼 NIST CSF v1.1 → 💼 PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities		21	30	no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			145	no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			85	no data
💼 NIST CSF v2.0 → 💼 PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization			42	no data
💼 NIST CSF v2.0 → 💼 PR.AA-03: Users, services, and hardware are authenticated			53	no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			116	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			148	no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			125	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			142	no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			95	no data
💼 NIST SP 800-53 Revision 4 → 💼 AC-5 SEPARATION OF DUTIES		3	4	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2 Account Management	13	20	37	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(1) Account Management _ Automated System Account Management		4	18	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	40	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control			14	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control			13	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		37	48	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-5 Separation of Duties			15	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	50	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(2) Least Privilege _ Non-privileged Access for Nonsecurity Functions		4	5	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(3) Least Privilege _ Network Access to Privileged Commands			2	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(10) Least Privilege _ Prohibit Non-privileged Users from Executing Privileged Functions			3	no data
💼 PCI DSS v3.2.1 → 💼 7.2.1 Coverage of all system components.			7	no data
💼 PCI DSS v4.0.1 → 💼 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.			7	no data
💼 PCI DSS v4.0 → 💼 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.			7	no data
💼 SOC 2 → 💼 CC6.1-4 Identifies and Authenticates Users		4	6	no data
💼 SOC 2 → 💼 CC6.1-8 Manages Identification and Authentication		18	24	no data
💼 UK Cyber Essentials → 💼 2.1.5 Ensure users are authenticated before allowing them access to organizational data or services		4	4	no data

Logic​

Similar Policies​

Similar Internal Rules​

Description​

Description​

Rationale​

Audit​

From Command Line​

Remediation​

Remediation​

From Console​

From Command Line​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Similar Internal Rules

Description

Description

Rationale

Audit

From Command Line

Remediation

Remediation

From Console

From Command Line

policy.yaml

Linked Framework Sections