Ensure IAM Policies with Full Administrative Privileges are not Attached Rule
This rule ensures that IAM policies allowing full administrative privileges are not attached.
| Rule | Ensure IAM policies that allow full "*:*" administrative privileges are not attached |
| Framework | cis_v130 |
| Severity | ✔ Low |
Ensuring IAM Policies with Full Administrative Privileges are Not Attached
Full administrative privileges in IAM policies grant users the ability to perform any action on any resource within your AWS environment. This level of access should be tightly controlled to prevent unintended consequences, including security breaches. CIS Benchmark v1.3.0 recommends that IAM policies should not allow full ":" administrative privileges, except for a narrow set of circumstances where it is absolutely necessary.
Understanding the Rule
IAM policies that grant full administrative privileges are denoted by an action element with the value of
"*""*"A policy with the following JSON statement would violate this rule:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Troubleshooting and Remediation Steps
1. Identify Policies with Full Administrative Privileges
Use the AWS Management Console or CLI to list all IAM policies and check for policies with full administrative privileges.
Using AWS CLI:
aws iam list-policies --scope Local --query 'Policies[?PolicyName!=`AdministratorAccess`].{Arn:Arn}'
This command lists all custom (non-managed) IAM policies in your account excluding the default
AdministratorAccess2. Review the Attached Policies
For each policy identified in the previous step, review where they're attached - either to users, groups, or roles.
Using AWS CLI:
aws iam list-entities-for-policy --policy-arn "arn:aws:iam::aws:policy/POLICY_ARN"
Replace
POLICY_ARN3. Remove Full Access Permissions
For any non-approved policy that grants full access, update the policy to align with the principle of least privilege.
Using AWS CLI:
aws iam delete-policy --policy-arn "arn:aws:iam::aws:policy/POLICY_ARN"
Note: Use this command with caution. Preferably, replace the full access policy with more restrictive policies that grant only the necessary permissions.
4. Confirm Removal of Full Access Policies
Once the full access policies are removed or replaced, re-run the check to confirm no such policies are attached.
Using AWS CLI to confirm:
aws iam list-policies --scope Local --query 'Policies[?PolicyName!=`AdministratorAccess`].{Arn:Arn}'
Step by Step Guide
- 1.Log into AWS Management Console or use AWS CLI.
- 2.Identify potentially non-compliant policies.
- 3.Review the attachments of these policies.
- 4.Remove or update these policies to restrict their permissions.
- 5.Confirm that no full administrative privileges exist.
CLI Commands Required
To list local IAM policies:
aws iam list-policies --scope Local --query 'Policies[?PolicyName!=`AdministratorAccess`].{Arn:Arn}'To list entities for a specific policy:
aws iam list-entities-for-policy --policy-arn "arn:aws:iam::aws:policy/POLICY_ARN"To delete a policy:
aws iam delete-policy --policy-arn "arn:aws:iam::aws:policy/POLICY_ARN"
Note: Always ensure you have a backup or an alternative set of permissions if you are modifying or deleting sensitive IAM policies to avoid any disruption of service.
While adhering to these guidelines will help maintain a secure IAM policy structure, the position or remuneration for generating information can not be promised, as the primary objective is to protect AWS environments consistent with the CIS Benchmark recommendations.