Skip to main content

๐Ÿ›ก๏ธ AWS IAM Policy allows full administrative privileges๐ŸŸข

  • Contextual name: ๐Ÿ›ก๏ธ Policy allows full administrative privileges๐ŸŸข
  • ID: /ce/ca/aws/iam/policy-allows-full-administrative-privileges
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logicโ€‹

Similar Policiesโ€‹

Similar Internal Rulesโ€‹

RulePoliciesFlags
โœ‰๏ธ dec-x-157aa4b91

Descriptionโ€‹

Open File

Descriptionโ€‹

IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered standard security advice to grant least privilege, that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.

Rationaleโ€‹

It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.

Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.

IAM policies that have a statement with "Effect": "Allow" with "Action": "*" over "Resource": "*" should be removed.

Auditโ€‹

Perform the following to determine what policies are created:

From Command Lineโ€‹
  1. Run the following to get a list of IAM policies:

... see more

Remediationโ€‹

Open File

Remediationโ€‹

From Consoleโ€‹

Perform the following to detach the policy that has full administrative privileges:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, click Policies and then search for the policy name found in the audit step.
  3. Select the policy that needs to be deleted.
  4. In the policy action menu, select Detach.
  5. Select all users, groups, and roles that have this policy attached.
  6. Click Detach Policy.
  7. Select the newly detached policy and select Delete.

From Command Lineโ€‹

Perform the following to detach the policy that has full administrative privileges as found in the audit step:

  1. List all IAM users, groups, and roles that the specified managed policy is attached to.

    aws iam list-entities-for-policy --policy-arn {{policy_arn}}

  2. Detach the policy from all IAM Users:

    aws iam detach-user-policy --user-name {{iam_user}} --policy-arn {{policy_arn}}

  3. Detach the policy from all IAM Groups:

... see more

policy.yamlโ€‹

Open File

Linked Framework Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 47c segregation of duty controls which prevent personnel from deploying their own software changes to production;55no data
๐Ÿ’ผ AWS Foundational Security Best Practices v1.0.0 โ†’ ๐Ÿ’ผ [IAM.1] IAM policies should not allow full "*" administrative privileges11no data
๐Ÿ’ผ AWS Well-Architected โ†’ ๐Ÿ’ผ COST02-BP04 Implement groups and roles3no data
๐Ÿ’ผ CIS AWS v1.2.0 โ†’ ๐Ÿ’ผ 1.22 Ensure IAM policies that allow full ":" administrative privileges are not created11no data
๐Ÿ’ผ CIS AWS v1.3.0 โ†’ ๐Ÿ’ผ 1.16 Ensure IAM policies that allow full ":" administrative privileges are not attached11no data
๐Ÿ’ผ CIS AWS v1.4.0 โ†’ ๐Ÿ’ผ 1.16 Ensure IAM policies that allow full ":" administrative privileges are not attached1no data
๐Ÿ’ผ CIS AWS v1.5.0 โ†’ ๐Ÿ’ผ 1.16 Ensure IAM policies that allow full ":" administrative privileges are not attached - Level 1 (Automated)1no data
๐Ÿ’ผ CIS AWS v2.0.0 โ†’ ๐Ÿ’ผ 1.16 Ensure IAM policies that allow full ":" administrative privileges are not attached - Level 1 (Automated)1no data
๐Ÿ’ผ CIS AWS v3.0.0 โ†’ ๐Ÿ’ผ 1.16 Ensure IAM policies that allow full ":" administrative privileges are not attached - Level 1 (Automated)1no data
๐Ÿ’ผ CIS AWS v4.0.0 โ†’ ๐Ÿ’ผ 1.16 Ensure IAM policies that allow full ":" administrative privileges are not attached (Automated)1no data
๐Ÿ’ผ CIS AWS v4.0.1 โ†’ ๐Ÿ’ผ 1.16 Ensure IAM policies that allow full ":" administrative privileges are not attached (Automated)1no data
๐Ÿ’ผ CIS AWS v5.0.0 โ†’ ๐Ÿ’ผ 1.15 Ensure IAM policies that allow full ":" administrative privileges are not attached (Automated)1no data
๐Ÿ’ผ CIS AWS v6.0.0 โ†’ ๐Ÿ’ผ 2.15 Ensure IAM policies that allow full ":" administrative privileges are not attached (Automated)1no data
๐Ÿ’ผ CIS AWS v7.0.0 โ†’ ๐Ÿ’ผ 2.14 Ensure IAM policies that allow full ":" administrative privileges are not attached (Automated)1no data
๐Ÿ’ผ Cloudaware Framework โ†’ ๐Ÿ’ผ General Access Controls18no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-2 Account Management (L)(M)(H)10858no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-2(1) Automated System Account Management (M)(H)32no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-2(7) Privileged User Accounts (M)(H)67no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-3 Access Enforcement (L)(M)(H)3789no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1163no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-5 Separation of Duties (M)(H)22no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-6 Least Privilege (M)(H)81185no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-6(2) Non-privileged Access for Nonsecurity Functions (M)(H)16no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-6(3) Network Access to Privileged Commands (H)16no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-6(5) Privileged Accounts (M)(H)35no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-6(10) Prohibit Non-privileged Users from Executing Privileged Functions (M)(H)15no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)62041no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ CM-5 Access Restrictions for Change (L)(M)(H)21416no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ AC-2 Account Management (L)(M)(H)9no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ AC-3 Access Enforcement (L)(M)(H)89no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)24no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ CM-5 Access Restrictions for Change (L)(M)(H)8no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-2 Account Management (L)(M)(H)958no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-2(1) Automated System Account Management (M)(H)32no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-2(7) Privileged User Accounts (M)(H)7no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-3 Access Enforcement (L)(M)(H)89no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-4(21) Physical or Logical Separation of Information Flows (M)(H)63no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-5 Separation of Duties (M)(H)22no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-6 Least Privilege (M)(H)685no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-6(2) Non-privileged Access for Nonsecurity Functions (M)(H)6no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-6(5) Privileged Accounts (M)(H)5no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-6(10) Prohibit Non-privileged Users from Executing Privileged Functions (M)(H)5no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)241no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ CM-5 Access Restrictions for Change (L)(M)(H)216no data
๐Ÿ’ผ ISO/IEC 27001:2013 โ†’ ๐Ÿ’ผ A.9.1.2 Access to networks and network services1718no data
๐Ÿ’ผ ISO/IEC 27001:2013 โ†’ ๐Ÿ’ผ A.9.2.3 Management of privileged access rights312no data
๐Ÿ’ผ ISO/IEC 27001:2013 โ†’ ๐Ÿ’ผ A.9.4.1 Information access restriction1920no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1934no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1756no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)1923no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.DS-5: Protections against data leaks are implemented4791no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities2130no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-01: Networks and network services are monitored to find potentially adverse events185no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events105no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization47no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-03: Users, services, and hardware are authenticated53no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties138no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected188no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected160no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected190no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.IR-01: Networks and environments are protected from unauthorized logical access and usage128no data
๐Ÿ’ผ NIST SP 800-53 Revision 4 โ†’ ๐Ÿ’ผ AC-5 SEPARATION OF DUTIES34no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-2 Account Management132057no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-2(1) Account Management _ Automated System Account Management432no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-3 Access Enforcement15565no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-3(7) Access Enforcement _ Role-based Access Control36no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control27no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3763no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-5 Separation of Duties22no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-6 Least Privilege102378no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-6(2) Least Privilege _ Non-privileged Access for Nonsecurity Functions46no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-6(3) Least Privilege _ Network Access to Privileged Commands6no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-6(10) Least Privilege _ Prohibit Non-privileged Users from Executing Privileged Functions4no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 7.2.1 Coverage of all system components.11no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.11no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.11no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC6.1-4 Identifies and Authenticates Users46no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC6.1-8 Manages Identification and Authentication1824no data
๐Ÿ’ผ UK Cyber Essentials โ†’ ๐Ÿ’ผ 2.1.5 Ensure users are authenticated before allowing them access to organizational data or services44no data