IAM Policy: No Star Star Rule
This rule ensures IAM policy does not contain statements granting admin access.
| Rule | IAM policy should not have statements with admin access |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Description:
This rule ensures that the IAM policies do not contain any statements granting admin access according to the NIST 800-53 Revision 5 security framework. Admin access typically grants unrestricted privileges, which poses a significant security risk to the system. This rule aims to enforce the principle of least privilege by restricting the unnecessary administrative access in IAM policies.
Troubleshooting Steps:
- 1.Identify the IAM policy that violates the rule.
- 2.Review the statements within the policy to find any granting admin access.
- 3.Ensure that there is a legitimate need for such high-level privileges in the policy. If not, proceed with remediation steps.
Remediation:
- 1.Identify the user or role associated with the IAM policy that contains admin access statements.
- 2.Evaluate their actual requirements for admin access and make sure it aligns with the principles of least privilege.
- 3.Create a new IAM policy, or modify the existing one, to remove the admin access statements while still allowing the necessary permissions for the user or role.
- 4.Attach the new policy or update the existing policy to the respective user or role.
- 5.Test the revised IAM policy to ensure it provides the required permissions without granting admin access unnecessarily.
CLI Command:
To create a new IAM policy (if needed):
aws iam create-policy --policy-name <policy-name> --policy-document file://<policy-document.json>
To update an existing IAM policy:
aws iam update-policy --policy-arn <policy-arn> --policy-document file://<policy-document.json>
To attach the policy to a user:
aws iam attach-user-policy --user-name <user-name> --policy-arn <policy-arn>
To attach the policy to a role:
aws iam attach-role-policy --role-name <role-name> --policy-arn <policy-arn>
Note:
Replace the placeholders within angle brackets ('<>') with the actual values specific to your environment. Ensure that you have the necessary permissions to perform these actions.