Cloud Defense Logo

Products

Solutions

Company

IAM Policy Should Not Have Statements with Admin Access Rule

This rule ensures IAM policies do not grant admin access, promoting security best practices.

RuleIAM policy should not have statements with admin access
FrameworkNIST 800-171 Revision 2
Severity
High

Rule Description: IAM policy should not have statements with admin access for NIST 800-171 Revision 2.

Rule Overview:

This rule is designed to ensure that IAM policies within an AWS account comply with NIST 800-171 Revision 2 security requirements. Specifically, the rule checks for any statements that grant admin access privileges within IAM policies and aims to remediate such findings, as admin access should be restricted to only a limited number of trusted individuals or entities.

Compliance Standard:

This rule is aligned with NIST 800-171 Revision 2, which is a set of security requirements for the protection of Controlled Unclassified Information (CUI) within non-federal systems and organizations.

Identifying Non-compliant Policies:

Troubleshooting Steps:

  1. 1.
    Access the AWS Management Console.
  2. 2.
    Go to the IAM service.
  3. 3.
    Select "Policies" from the left-hand menu.
  4. 4.
    Review the list of policies and identify any that contain statements with admin access.

Non-compliant Policy Examples:

The following is an example of a policy statement that grants admin access:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

Remediation Steps:

To remediate IAM policies with admin access statements, follow the steps below:

  1. 1.
    Identify the specific policy that contains the non-compliant statement(s) as explained in the "Troubleshooting Steps" section.
  2. 2.
    Edit the policy to remove the admin access statements using the AWS Command Line Interface (CLI) or the AWS Management Console.
  3. 3.
    Replace the admin access statement with specific permissions required by the user or group.

CLI Command Example:

The following is an example of a CLI command to modify an IAM policy removing the admin access statement:

aws iam update-policy --policy-arn arn:aws:iam::123456789012:policy/MyPolicy --policy-document file://policy.json

Note: Replace

arn:aws:iam::123456789012:policy/MyPolicy
with the ARN of the actual policy and
policy.json
with the path to the modified policy document file.

  1. 1.
    Save and apply the modified policy.

Additional Recommendations:

  1. 1.
    Review your IAM policies regularly to ensure they continue to meet your organization's security requirements.
  2. 2.
    Implement the principle of least privilege, granting only the necessary permissions for users or groups to perform their intended tasks.
  3. 3.
    Consider using AWS Identity and Access Management (IAM) best practices guidelines to strengthen your overall access control and security posture.
  4. 4.
    Regularly audit and monitor IAM policies for any unauthorized changes or suspicious activities.

Is your System Free of Underlying Vulnerabilities?
Find Out Now