IAM Policy Should Not Have Statements with Admin Access Rule
This rule focuses on restricting admin access in IAM policies.
| Rule | IAM policy should not have statements with admin access |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
Rule Description:
The IAM (Identity and Access Management) policy should not contain any statements that grant administrative access for the FedRAMP (Federal Risk and Authorization Management Program) Low Revision 4 compliance level. Admin access should be limited to only necessary individuals or roles to minimize security risks.
Troubleshooting Steps:
If a policy contains statements with admin access for the FedRAMP Low Revision 4, it should be identified and remediated following the below steps:
- 1.
Identify the policy: Determine the IAM policy that includes statements granting admin access for FedRAMP Low Revision 4.
- 2.
Review policy statements: Analyze the policy statements to identify the specific permissions and their assigned access levels.
- 3.
Check compliance level: Verify if the policy applies to the FedRAMP Low Revision 4 compliance level.
- 4.
Determine necessary access: Assess whether admin access is required for the identified policy. If not necessary, proceed with the remediation steps.
- 5.
Update policy statements: Remove or modify the policy statements to eliminate admin access for FedRAMP Low Revision 4.
Necessary Codes (if applicable):
If necessary, the following code can be used to modify an IAM policy statement:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "example:Action", "Resource": "example:Resource" }, { "Effect": "Deny", "Action": "example:AdminAction", "Resource": "example:AdminResource", "Condition": { "StringLikeIfExists": { "example:ConditionKey": "example:Value" } } } ] }
Note: Replace "example:Action" and "example:Resource" with the actual action and resource for the policy. Similarly, replace "example:AdminAction" and "example:AdminResource" with the admin-level action and resource. Also, modify the "example:ConditionKey" and "example:Value" based on any specific conditions required.
Step-by-step Guide for Remediation:
To remediate an IAM policy containing statements with admin access for FedRAMP Low Revision 4, follow the steps below:
- 1.
Log in to the AWS Management Console.
- 2.
Open the IAM service.
- 3.
Select "Policies" from the left-hand side menu.
- 4.
Search and locate the IAM policy that needs to be updated.
- 5.
Click on the policy name to open the policy details.
- 6.
Review the policy statements and identify the ones that grant admin access for FedRAMP Low Revision 4.
- 7.
Edit the policy by clicking on the "Edit Policy" button.
- 8.
Locate the statement that needs to be modified or removed.
- 9.
Modify the statement: If admin access is required for a different compliance level, make the necessary changes to match the new compliance requirement. If admin access is not necessary, remove the statement.
- 10.
Double-check the modified or removed statement to ensure correctness.
- 11.
Save the policy changes.
- 12.
Validate the updated policy for compliance.
By following these steps, you will successfully remediate an IAM policy that violates the rule of not having admin access statements for FedRAMP Low Revision 4.