Skip to main content

πŸ“ AWS IAM Policy allows full administrative privileges 🟒

  • Contextual name: πŸ“ Policy allows full administrative privileges 🟒
  • ID: /ce/ca/aws/iam/policy-allows-full-administrative-privileges
  • Located in: πŸ“ AWS IAM

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-157aa4b91

Logic​

Description​

Open File

Description​

IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.

Rationale​

It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.

Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.

IAM policies that have a statement with "Effect": "Allow" with "Action": "*" over "Resource": "*" should be removed.

Audit​

Perform the following to determine what policies are created:

From Command Line​

... see more

Remediation​

Open File

Remediation​

From Console​

Perform the following to detach the policy that has full administrative privileges:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, click Policies and then search for the policy name found in the audit step.
  3. Select the policy that needs to be deleted.
  4. In the policy action menu, select first Detach.
  5. Select all Users, Groups, Roles that have this policy attached.
  6. Click Detach Policy.
  7. Select the newly detached policy and select Delete.

From Command Line​

Perform the following to detach the policy that has full administrative privileges as found in the audit step:

  1. Lists all IAM users, groups, and roles that the specified managed policy is attached to.
aws iam list-entities-for-policy --policy-arn <policy_arn>
  1. Detach the policy from all IAM Users:
aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>
  1. Detach the policy from all IAM Groups:
aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 47c segregation of duty controls which prevent personnel from deploying their own software changes to production;55
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [IAM.1] IAM policies should not allow full "*" administrative privileges11
πŸ’Ό CIS AWS v1.2.0 β†’ πŸ’Ό 1.22 Ensure IAM policies that allow full ":" administrative privileges are not created11
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 1.16 Ensure IAM policies that allow full ":" administrative privileges are not attached11
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 1.16 Ensure IAM policies that allow full ":" administrative privileges are not attached1
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 1.16 Ensure IAM policies that allow full ":" administrative privileges are not attached - Level 1 (Automated)1
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 1.16 Ensure IAM policies that allow full ":" administrative privileges are not attached - Level 1 (Automated)1
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 1.16 Ensure IAM policies that allow full ":" administrative privileges are not attached - Level 1 (Automated)1
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 1.16 Ensure IAM policies that allow full ":" administrative privileges are not attached (Automated)1
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 1.16 Ensure IAM policies that allow full ":" administrative privileges are not attached (Automated)1
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 1.15 Ensure IAM policies that allow full ":" administrative privileges are not attached (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό General Access Controls11
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2 Account Management (L)(M)(H)10835
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)16
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(7) Privileged User Accounts (M)(H)67
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3764
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1142
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-5 Separation of Duties (M)(H)13
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)81153
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(2) Non-privileged Access for Nonsecurity Functions (M)(H)14
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(3) Network Access to Privileged Commands (H)12
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(5) Privileged Accounts (M)(H)35
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(10) Prohibit Non-privileged Users from Executing Privileged Functions (M)(H)13
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)62030
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-5 Access Restrictions for Change (L)(M)(H)21416
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-2 Account Management (L)(M)(H)4
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)64
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)24
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-5 Access Restrictions for Change (L)(M)(H)8
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2 Account Management (L)(M)(H)935
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)16
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(7) Privileged User Accounts (M)(H)7
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)64
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)42
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-5 Separation of Duties (M)(H)13
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)653
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(2) Non-privileged Access for Nonsecurity Functions (M)(H)4
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(5) Privileged Accounts (M)(H)5
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(10) Prohibit Non-privileged Users from Executing Privileged Functions (M)(H)3
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)230
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-5 Access Restrictions for Change (L)(M)(H)216
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.1.2 Access to networks and network services1718
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.2.3 Management of privileged access rights38
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.4.1 Information access restriction1920
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1930
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1752
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)1923
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4766
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities2130
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events115
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events81
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization38
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-03: Users, services, and hardware are authenticated32
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties88
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected114
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected94
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected108
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage66
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AC-5 SEPARATION OF DUTIES34
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2 Account Management132034
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(1) Account Management _ Automated System Account Management416
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3 Access Enforcement15534
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(7) Access Enforcement _ Role-based Access Control11
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control11
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3742
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-5 Separation of Duties13
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6 Least Privilege102346
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6(2) Least Privilege _ Non-privileged Access for Nonsecurity Functions44
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6(3) Least Privilege _ Network Access to Privileged Commands2
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6(10) Least Privilege _ Prohibit Non-privileged Users from Executing Privileged Functions2
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 7.2.1 Coverage of all system components.7
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.7
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.7
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-4 Identifies and Authenticates Users46
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-8 Manages Identification and Authentication1824
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 2.1.5 Ensure users are authenticated before allowing them access to organizational data or services44