IAM Policies Should Not Allow Full '*' Administrative Privileges Rule
This rule ensures IAM policies do not grant full '*' administrative privileges.
| Rule | IAM policies should not allow full '*' administrative privileges |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ High |
Rule Description:
The rule/policy states that IAM (Identity and Access Management) policies should not grant full administrative privileges using the wildcard character '*'. This is in accordance with AWS Foundational Security Best Practices, which recommend following the principle of least privilege when granting access permissions.
Granting full administrative privileges using '*' is considered a security risk as it provides unrestricted access to all resources and actions within an AWS account. This can potentially lead to unauthorized access, accidental misconfigurations, or malicious activities.
Troubleshooting Steps:
If you encounter instances where an IAM policy allows full '*' administrative privileges, follow these troubleshooting steps to remediate the issue:
- 1.
Identify the affected IAM policy: Determine which IAM policy grants the wildcard '*' administrative privileges.
- 2.
Review the policy: Analyze the content of the IAM policy to understand its purpose and the level of access it provides.
- 3.
Update the policy: Modify the policy to remove the wildcard '*' and replace it with specific actions and resources that are necessary for the intended user or role.
- 4.
Use least privilege principle: Follow the principle of least privilege, granting only the necessary permissions required for the intended tasks and responsibilities.
- 5.
Test and validate: After updating the IAM policy, thoroughly test and validate the changes to ensure that the required access permissions are still granted while administrative privileges are restricted.
Code Example:
Here's an example of an IAM policy that grants full administrative privileges using the '*' wildcard:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }
To remediate this policy, update it with specific actions and resources. For instance, suppose the user only requires read-only access to S3. The updated policy would look like this:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::example-bucket/*" } ] }
Remediation Steps:
- 1.
Identify the IAM policy that grants full administrative privileges using the '*' wildcard.
- 2.
Access the AWS Management Console or use the AWS Command Line Interface.
- 3.
Navigate to the IAM service.
- 4.
Locate and select the IAM policy that requires remediation.
- 5.
Click on "Edit policy" to modify the policy.
- 6.
Replace the '*' wildcard with specific actions and resources that align with the intended access requirements.
- 7.
Save the updated policy.
- 8.
Test the revised policy by assuming the role or accessing the resources associated with the updated policy.
- 9.
Repeat the process for any other IAM policies violating the rule.
By adhering to the principle of least privilege, you can ensure that IAM policies do not grant unrestricted administrative access and help maintain the security of your AWS resources.