IAM Policy with No Admin Access Statement Rule
This rule ensures IAM policies do not grant admin access, promoting security best practices.
| Rule | IAM policy should not have statements with admin access |
| Framework | HIPAA |
| Severity | ✔ High |
Rule / Policy Description:
This rule ensures that IAM policies do not include statements granting administrative access for HIPAA (Health Insurance Portability and Accountability Act) related resources in a cloud environment. Admin access should be carefully restricted to prevent unauthorized access and potential misuse of sensitive healthcare information protected by HIPAA regulations.
Troubleshooting Steps:
- 1.Identify the policy statement(s) granting admin access for HIPAA resources.
- 2.Verify if the policy statement is necessary for legitimate business reasons or if it can be modified to provide more restricted access.
- 3.If the policy statement is found to be unauthorized or unnecessary, proceed with remediation steps.
Necessary Code:
No specific code is required for this policy. It focuses on reviewing and modifying existing IAM policies that grant admin access for HIPAA resources.
Remediation Steps:
- 1.Identify the IAM policy associated with the HIPAA resources that includes admin access.
- 2.Open the IAM console or use the AWS CLI (Command Line Interface) to access the IAM policy.
- 3.Remove the statement(s) granting admin access for HIPAA resources.
- 4.Validate the changes made to the policy to ensure no unintended access restrictions have been introduced.
- 5.Monitor the affected resources and user activity to confirm that the appropriate access control has been implemented.
- 6.Document the changes made to the policy for future reference and auditing purposes.
Amazon Web Services (AWS) - IAM Console Steps:
- 1.Sign in to the AWS Management Console.
- 2.Navigate to the IAM service.
- 3.Select "Policies" from the left sidebar menu.
- 4.Locate the policy associated with HIPAA resources.
- 5.Click on the policy name to open its details.
- 6.Review the policy statements and identify the one(s) granting admin access.
- 7.Click on the "Edit policy" button.
- 8.Remove the admin access statement(s) as required.
- 9.Validate and save the policy changes.
Amazon Web Services (AWS) - CLI Steps:
- 1.
Install and configure the AWS CLI, if not already done.
- 2.
Open a terminal or command prompt.
- 3.
Run the following command to retrieve the policy document for the associated HIPAA IAM policy:
aws iam get-policy-version --policy-arn arn:aws:iam::Aws_account_id:policy/PolicyName --version-id v1Replace
andAws_account_id
with the actual values.PolicyName - 4.
Identify the policy statement(s) granting admin access in the retrieved policy document.
- 5.
Remove the admin access statement(s) from the policy document.
- 6.
Run the following command to update the policy:
aws iam create-policy-version --policy-arn arn:aws:iam::Aws_account_id:policy/PolicyName --policy-document file:///path/to/modified_policy.json --set-as-defaultReplace
,Aws_account_id
, andPolicyName
with the actual values./path/to/modified_policy.json - 7.
Validate the updated policy using the AWS CLI or IAM console.
- 8.
Monitor the related resources and user activity to ensure the desired access restrictions are in place.
Note:
- Ensure that only authorized personnel have access to modify IAM policies.
- Regularly review IAM policies to detect and address any unauthorized admin access for HIPAA resources.