IAM Policy Rule: Avoid Admin Access Statements

This rule ensures IAM policies do not contain statements granting admin access.

Rule	IAM policy should not have statements with admin access
Framework	NIST 800-171 Revision 2
Severity	✔ High

IAM Policy Rule Description:

This rule ensures that the IAM (Identity and Access Management) policies in an organization do not contain any statements granting administrative access, in compliance with the NIST (National Institute of Standards and Technology) 800-171 Revision 2 guidelines.

Troubleshooting Steps:

1.
Identify the IAM policy with admin access statements.

2.
Review each policy statement to determine if it grants admin access.

3.
Verify the NIST 800-171 Revision 2 guidelines for policy requirements.

4.
Modify the policy statement(s) to remove admin access.

5.
Validate the updated policy to ensure compliance.

Necessary Code:

There is no specific code required for this rule. However, you can use AWS CLI (Command Line Interface) to interact with IAM policies if needed.

Step-by-Step Guide for Remediation:

Step 1: Identify the IAM Policy

1.
Log in to the AWS Management Console.

Step 2: Review Policy Statements

1.
Navigate to the IAM service.

2.
Click on "Policies" in the left-hand menu.

3.
Search for the policy that needs to be reviewed.

Step 3: Verify Policy Requirements

1.
Refer to the NIST 800-171 Revision 2 guidelines to understand the specific policy requirements.

2.
Review each policy statement to identify any admin access grants.

Step 4: Modify Policy Statements

1.
If you find any policy statement granting admin access:
- Click on the policy name to open it.
- Find the statement with admin access and remove it.
- Save the policy.

Step 5: Validate Policy Compliance

1.
Use AWS CLI to validate the updated policy for compliance with NIST 800-171 Revision 2.
- Run the following command:
  aws iam simulate-custom-policy --policy-input-list file://policy.json --resource-arns arn:aws:s3:::example-bucket
Note: Make sure to replace "policy.json" with the path to the JSON file containing your policy statement(s), and "arn:aws:s3:::example-bucket" with an appropriate resource ARN.

2.

Review the policy simulation results. Verify that no admin access is granted in the evaluated policy.

Conclusion:

By following this step-by-step guide, you can ensure compliance with the NIST 800-171 Revision 2 guidelines by eliminating IAM policy statements that grant admin access. Regularly reviewing and updating policies will help maintain a secure and compliant IAM configuration.

IAM Policy Rule: Avoid Admin Access Statements

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step 1: Identify the IAM Policy

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step 2: Review Policy Statements

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step 3: Verify Policy Requirements

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step 4: Modify Policy Statements

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step 5: Validate Policy Compliance

Is your System Free of Underlying Vulnerabilities? Find Out Now

Step 1: Identify the IAM Policy

Step 2: Review Policy Statements

Step 3: Verify Policy Requirements

Step 4: Modify Policy Statements

Step 5: Validate Policy Compliance

Is your System Free of Underlying Vulnerabilities?
Find Out Now