IAM Policy Should Not Have Statements with Admin Access Rule
This rule ensures IAM policies do not grant admin access, promoting security best practices.
| Rule | IAM policy should not have statements with admin access |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
Rule Description: IAM policy should not have statements with admin access for NIST 800-171 Revision 2.
Rule Overview:
This rule is designed to ensure that IAM policies within an AWS account comply with NIST 800-171 Revision 2 security requirements. Specifically, the rule checks for any statements that grant admin access privileges within IAM policies and aims to remediate such findings, as admin access should be restricted to only a limited number of trusted individuals or entities.
Compliance Standard:
This rule is aligned with NIST 800-171 Revision 2, which is a set of security requirements for the protection of Controlled Unclassified Information (CUI) within non-federal systems and organizations.
Identifying Non-compliant Policies:
Troubleshooting Steps:
- 1.Access the AWS Management Console.
- 2.Go to the IAM service.
- 3.Select "Policies" from the left-hand menu.
- 4.Review the list of policies and identify any that contain statements with admin access.
Non-compliant Policy Examples:
The following is an example of a policy statement that grants admin access:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Remediation Steps:
To remediate IAM policies with admin access statements, follow the steps below:
- 1.Identify the specific policy that contains the non-compliant statement(s) as explained in the "Troubleshooting Steps" section.
- 2.Edit the policy to remove the admin access statements using the AWS Command Line Interface (CLI) or the AWS Management Console.
- 3.Replace the admin access statement with specific permissions required by the user or group.
CLI Command Example:
The following is an example of a CLI command to modify an IAM policy removing the admin access statement:
aws iam update-policy --policy-arn arn:aws:iam::123456789012:policy/MyPolicy --policy-document file://policy.json
Note: Replace
arn:aws:iam::123456789012:policy/MyPolicypolicy.json- 1.Save and apply the modified policy.
Additional Recommendations:
- 1.Review your IAM policies regularly to ensure they continue to meet your organization's security requirements.
- 2.Implement the principle of least privilege, granting only the necessary permissions for users or groups to perform their intended tasks.
- 3.Consider using AWS Identity and Access Management (IAM) best practices guidelines to strengthen your overall access control and security posture.
- 4.Regularly audit and monitor IAM policies for any unauthorized changes or suspicious activities.