This rule ensures IAM policies do not grant admin access, promoting security best practices.
Rule | IAM policy should not have statements with admin access |
Framework | NIST 800-171 Revision 2 |
Severity | ✔ High |
Rule Description: IAM policy should not have statements with admin access for NIST 800-171 Revision 2.
Rule Overview:
This rule is designed to ensure that IAM policies within an AWS account comply with NIST 800-171 Revision 2 security requirements. Specifically, the rule checks for any statements that grant admin access privileges within IAM policies and aims to remediate such findings, as admin access should be restricted to only a limited number of trusted individuals or entities.
Compliance Standard:
This rule is aligned with NIST 800-171 Revision 2, which is a set of security requirements for the protection of Controlled Unclassified Information (CUI) within non-federal systems and organizations.
Identifying Non-compliant Policies:
Troubleshooting Steps:
Non-compliant Policy Examples:
The following is an example of a policy statement that grants admin access:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Remediation Steps:
To remediate IAM policies with admin access statements, follow the steps below:
CLI Command Example:
The following is an example of a CLI command to modify an IAM policy removing the admin access statement:
aws iam update-policy --policy-arn arn:aws:iam::123456789012:policy/MyPolicy --policy-document file://policy.json
Note: Replace
arn:aws:iam::123456789012:policy/MyPolicy
with the ARN of the actual policy and policy.json
with the path to the modified policy document file.Additional Recommendations: