Rule: IAM Policy Should Not Have Statements with Admin Access
This rule ensures that IAM policies do not contain statements with admin access.
| Rule | IAM policy should not have statements with admin access |
| Framework | CISA-cyber-essentials |
| Severity | ✔ High |
Rule Description
IAM policies should not include statements with administrative access for the CISA Cyber Essentials framework. This rule ensures that users and roles are not granted excessive privileges that could potentially compromise the security and integrity of the CISA Cyber Essentials environment.
Troubleshooting Steps
No specific troubleshooting steps are required for this rule. However, if there are any issues related to users or roles lacking administrative access, they should be addressed on a case-by-case basis.
Necessary Code
No specific code is required for this rule. However, to enforce this policy, you can use the AWS Command Line Interface (CLI) or AWS Management Console to modify IAM policies.
Step-by-Step Guide for Remediation
To remediate this rule, follow these step-by-step instructions:
- 1.Identify Policies with Admin Access: Review all IAM policies attached to users and roles in the CISA Cyber Essentials framework. Focus on policies that include statements granting full administrative access (
,"Action": "*"
,"Resource": "*"
)."Effect": "Allow" - 2.Remove Admin Access Statements: For each policy identified in step 1, remove or modify the statements granting full administrative access.
- If possible, prefer granting the least privileged access necessary for the specific tasks or resources.
- Update the policy to define specific actions, resources, and conditions required by the users or roles.
- Ensure that administrative access is granted only when absolutely necessary and justified.
It is important to strike a balance between security and usability when modifying IAM policies to avoid either over-permissioning or under-permissioning users and roles.
- 1.Test and Monitor: After modifying the policies, thoroughly test the impacted users and roles to ensure they have the necessary access to complete their intended tasks within the CISA Cyber Essentials framework. Monitor the system continuously to identify any unexpected issues or access-related anomalies.
CLI Command Examples
Here are some sample CLI commands that can be used to modify IAM policies:
- 1.
List IAM Policies: To list all IAM policies in your account, use the following command:
aws iam list-policies - 2.
Get Policy Versions: To retrieve all versions of a specific policy, use the following command:
aws iam list-policy-versions --policy-arn <policy-arn> - 3.
Update Policy: To update a policy by removing or modifying an existing statement, use the following command:
aws iam create-policy-version --policy-arn <policy-arn> --policy-document file://<policy-file.json> --set-as-defaultReplace
with the ARN (Amazon Resource Name) of the policy and<policy-arn>
with the JSON file containing the updated policy document.<policy-file.json>
Keep in mind that these are just examples, and you should tailor the commands based on your specific use case and requirements.
By following these steps and using the appropriate CLI commands, you can ensure that IAM policies do not contain statements with admin access for the CISA Cyber Essentials framework, promoting a more secure and controlled environment.