Rule: IAM Policy Should Not Have Statements with Admin Access
This rule ensures that IAM policies do not have statements granting admin access.
| Rule | IAM policy should not have statements with admin access |
| Framework | CISA-cyber-essentials |
| Severity | ✔ High |
Ensuring IAM Policy Compliance with CISA Cyber Essentials
Overview of CISA Cyber Essentials Policy Implementation
CISA (Cybersecurity and Infrastructure Security Agency) recommends organizations adhere to cybersecurity essentials to manage and reduce risks. Admin access in AWS IAM (Identity and Access Management) can be extremely powerful and potentially risky if not managed correctly. Organizations subject to these recommendations must therefore restrict admin-level access.
An IAM policy with administrative privileges essentially allows users to perform nearly any action on any resource in an AWS environment. To adhere to CISA's Cyber Essentials, such broad access should be restricted to limit the risk of unauthorized changes or access to sensitive resources.
Rule Detail: No Admin Access in IAM Policies
Description of the Rule
To comply with the CISA Cyber Essentials, your IAM policies must not grant full administrative privileges. This means avoiding policies that allow actions like
iam:*s3:*ec2:*Potential Risks of Admin Access
- Unauthorized Access: Admin policies might increase the risk of attackers gaining full access to AWS services.
- Accidental Changes: Users with admin access can unintentionally disrupt critical services.
- Privilege Escalation: Malicious insiders can use admin access to elevate their privileges.
Troubleshooting and Remediation Steps
If a non-compliant IAM policy is identified, follow these steps to remediate:
Identify Non-compliant Policies
- 1.Use AWS Access Analyzer or a custom script to evaluate policies for admin-level access.
- 2.Review policy documents for statements containing
with"Effect": "Allow"
or wildcards like"Action": "*"
.iam:*
Example script snippet using AWS CLI:
aws iam list-policies --scope Local --query 'Policies[?PolicyName!=`AdministratorAccess`].[Arn]' --output text | xargs -n1 aws iam get-policy-version --version-id --query 'PolicyVersion.Document' --policy-arn
Create Compliant Policies
- 1.Define the specific actions and resources each user or role actually needs access to.
- 2.Avoid broad wildcards and instead list individual permissions.
- 3.Test the policies to ensure they provide necessary access without being overly permissive.
Apply Compliant Policies
- 1.Attach the revised, compliant policies to the respective users or groups.
- 2.Remove or detach non-compliant policies identified in the review process.
Steps Guide for Remediation
Detaching Non-Compliant IAM Policies
# Detach the non-compliant policy from all IAM entities aws iam list-entities-for-policy --policy-arn [non-compliant-policy-arn] --query 'PolicyGroups[].GroupName' --output text | xargs -I {} aws iam detach-group-policy --policy-arn [non-compliant-policy-arn] --group-name {} aws iam list-entities-for-policy --policy-arn [non-compliant-policy-arn] --query 'PolicyUsers[].UserName' --output text | xargs -I {} aws iam detach-user-policy --policy-arn [non-compliant-policy-arn] --user-name {} aws iam list-entities-for-policy --policy-arn [non-compliant-policy-arn] --query 'PolicyRoles[].RoleName' --output text | xargs -I {} aws iam detach-role-policy --policy-arn [non-compliant-policy-arn] --role-name {}
Attaching Compliant IAM Policies
# Attach the compliant policy to specific IAM groups, users, or roles aws iam attach-group-policy --policy-arn [compliant-policy-arn] --group-name [target-group-name] aws iam attach-user-policy --policy-arn [compliant-policy-arn] --user-name [target-user-name] aws iam attach-role-policy --policy-arn [compliant-policy-arn] --role-name [target-role-name]
Ensure that your remediation steps are well documented and communicated to relevant teams handling IAM. Regular audits and reviews should be part of your security governance to maintain compliance with the CISA Cyber Essentials.
In conclusion, while this guidance provides a methodical approach to comply with CISA recommendations regarding IAM policies, it is also vital to consistently train and educate your team on the importance of cybersecurity best practices. Proper management of IAM policies contributes to a strong security posture and supports overall SEO strategies by protecting your organization's online reputation and trustworthiness.