IAM Rule: Avoid Wildcard Actions for Customer Managed Policies
This rule ensures that you do not allow wildcard actions for services in IAM customer managed policies.
| Rule | IAM customer managed policies that you create should not allow wildcard actions for services |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Low |
Rule Description
The rule states that any customer managed policies created in IAM should not allow wildcard actions for services, as part of the AWS Foundational Security Best Practices. This ensures that IAM policies have a more granular and controlled approach, reducing the risk of unauthorized or unintended actions.
Troubleshooting Steps
If a customer managed policy allows wildcard actions for services, it's necessary to review and update the policy to remove the wildcard or replace it with specific actions. Here are the troubleshooting steps to follow:
- 1.
Identify the policy: Determine which customer managed policy allows wildcard actions for services. This can be done by reviewing the list of policies in the AWS Management Console or using the AWS CLI.
- 2.
Analyze the policy: Review the policy to understand which services are affected by the wildcard actions. Identify the potential risks and unauthorized actions that can be performed due to the wildcard usage.
- 3.
Update the policy: Modify the policy to remove the wildcard actions or replace them with specific actions that are necessary for the intended use case. Be mindful to only allow the required actions and limit unnecessary permissions.
- 4.
Test the updated policy: Validate the updated policy by applying it to the appropriate IAM users, groups, or roles. Test the user's ability to perform the required actions without any unnecessary additional permissions.
- 5.
Monitor and review: Regularly monitor and review the policies to ensure any changes or updates are properly implemented and adhere to the security best practices. This will help maintain a secure and controlled IAM environment.
Necessary Codes
In case you need to update a customer managed policy using the AWS CLI, you can use the following command as a reference:
aws iam update-policy --policy-arn <policy-arn> --policy-document file://path/to/policy.json
Replace
<policy-arn>path/to/policy.jsonMake sure to update the policy document to remove the wildcard actions or adjust them to specific actions as required.
Step-by-Step Guide for Remediation
Follow these step-by-step instructions to remediate a customer managed policy that allows wildcard actions for services:
- 1.
Identify the policy:
- Log in to the AWS Management Console.
- Navigate to the IAM service.
- Click on "Policies" in the left sidebar.
- Review the list of policies and identify the policy that allows wildcard actions for services.
- 2.
Analyze the policy:
- Click on the policy name to open the policy details.
- Examine the policy document to understand which services are affected by the wildcard actions.
- Identify the potential risks and unauthorized actions that can be performed due to the wildcard usage.
- 3.
Update the policy:
- Click on the "Edit policy" button.
- Modify the policy document to remove the wildcard actions or replace them with specific actions.
- Ensure that the policy provides only the necessary permissions required for the intended use case.
- Click on "Review policy" to validate the changes.
- 4.
Test the updated policy:
- Apply the updated policy to the appropriate IAM users, groups, or roles.
- Test the user's ability to perform the required actions without any unnecessary additional permissions.
- Ensure the permissions are correctly enforced, and no unauthorized actions can be performed.
- 5.
Monitor and review:
- Regularly monitor and review the policy to verify that the changes have been properly implemented.
- Assess the impact of the updated policy on the affected users or roles.
- Make any necessary adjustments or updates as the requirements evolve over time.
By following these steps, you can remediate customer managed policies in IAM that allow wildcard actions for services, aligning with the AWS Foundational Security Best Practices and ensuring a more secure IAM environment.