IAM Policy Should Not Have Statements with Admin Access
This rule ensures IAM policies do not contain statements granting admin access.
| Rule | IAM policy should not have statements with admin access |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ High |
IAM Policy Rule Description
This rule ensures that the IAM policy statements for FedRAMP Moderate Revision 4 do not grant admin access. It is an important security measure aimed at reducing the risk of unauthorized access and ensuring compliance with the FedRAMP Moderate security standards.
Troubleshooting Steps
If this rule is violated, it may pose a security risk and lead to non-compliance with the FedRAMP Moderate Revision 4 requirements. Follow these troubleshooting steps to address any policy violations:
- 1.Identify the IAM users, roles, or groups that have admin access in their policy statements.
- 2.Review the affected policy statements to understand why admin access was granted.
- 3.Determine if there is a legitimate business need for admin access. If not, proceed to remediation steps.
- 4.Check if there are any conflicts or overlapping permissions that may have inadvertently granted admin access.
- 5.Review the individuals or applications associated with the IAM entities that have admin access to ensure they have all the necessary privileges and entitlements.
- 6.Remove admin access from the affected IAM entities to align with the FedRAMP Moderate Revision 4 requirements.
Necessary Codes
There are no specific codes associated with this rule. However, you will need to use the AWS Management Console or AWS Command Line Interface (CLI) to modify the IAM policies.
Step-by-Step Guide for Remediation
To remediate the IAM policies that grant admin access for FedRAMP Moderate Revision 4, follow these step-by-step instructions:
- 1.
Log in to the AWS Management Console or open your preferred AWS CLI tool.
- 2.
Identify the IAM user, role, or group with admin access that needs to be modified.
- 3.
Navigate to the IAM service in the AWS Management Console or use the relevant CLI command to modify the policy.
- 4.
Select the desired IAM entity and click on "Permissions" or run the equivalent AWS CLI command to view and edit the policy.
- 5.
Locate the policy statement that grants admin access. Review the policy statement to understand the implications and ensure it aligns with the FedRAMP Moderate Revision 4 requirements.
- 6.
Edit the policy statement to remove the admin access. This can be done by removing or modifying the relevant permissions, or by creating a new policy statement that grants only the necessary permissions.
- 7.
Save the changes to the policy.
- 8.
Repeat steps 2-7 for any remaining IAM entities with admin access.
- 9.
Conduct thorough testing to verify that the modified policies still allow the necessary actions while removing admin access.
- 10.
Once all the required IAM policies have been modified, conduct a final review to confirm that no IAM entities have admin access in their policy statements.
By following these steps, you can effectively remediate the IAM policies that violate the rule by granting admin access. Ensure all changes are thoroughly tested and align with the guidelines of FedRAMP Moderate Revision 4.