Ensure IAM policy should not grant full access to service Rule
This rule ensures that IAM policy does not grant full access to a specific service.
| Rule | Ensure IAM policy should not grant full access to service |
| Framework | RBI Cyber Security Framework |
| Severity | ✔ Critical |
Rule Description:
The rule ensures that the IAM (Identity and Access Management) policy in the organization's environment does not grant full access to any service as per the RBI (Reserve Bank of India) Cyber Security Framework guidelines. This helps in minimizing the risk of unauthorized access and potential security breaches.
Troubleshooting Steps:
If any IAM policy is found to grant full access to a service, follow these troubleshooting steps:
- 1.Identify the affected IAM policy by reviewing the policy name or the policy attached to the IAM user/group/role.
- 2.Verify if the policy provides full access to a specific service or multiple services.
- 3.Assess the potential impact of granting full access to the service(s) based on the RBI Cyber Security Framework guidelines.
- 4.Determine the users/groups/roles associated with the policy and their level of access to the service(s).
- 5.Verify if the policy was intended to grant full access, as some use cases may legitimately require such access.
- 6.If unauthorized or excessive access is identified, proceed with the remediation steps.
Remediation Steps:
Follow these steps to remediate the IAM policy granting full access to a service:
- 1.
Access the AWS Management Console or use the AWS CLI (Command Line Interface) for the following steps.
- 2.
Identify the IAM policy that needs to be modified or removed.
- 3.
Determine if the policy is attached to a user, group, or role.
- 4.
If the policy is attached to a user:
- Run the following CLI command to list the user's policies:
aws iam list-attached-user-policies --user-name <user-name> - Identify the policy to be modified or removed from the response.
- Proceed to step 6.
- 5.
If the policy is attached to a group:
- Run the following CLI command to list the group's policies:
aws iam list-attached-group-policies --group-name <group-name> - Identify the policy to be modified or removed from the response.
- Proceed to step 6.
- 6.
If the policy is attached to a role:
- Run the following CLI command to list the role's policies:
aws iam list-attached-role-policies --role-name <role-name> - Identify the policy to be modified or removed from the response.
- Proceed to step 7.
- 7.
If the policy is found, modify it to adhere to the RBI Cyber Security Framework guidelines. Alternatively, remove the policy if it is unnecessary or grants excessive access.
- 8.
To modify the policy, open the IAM Policy Editor or update the policy document programmatically.
- 9.
In the policy, adjust the service permissions to align with the least privilege principle and the specific requirements of the RBI Cyber Security Framework.
- 10.
Save the modified policy and ensure it no longer grants full access to the service(s).
- 11.
If the policy was removed, ensure that the affected user/group/role has necessary permissions through other policies.
- 12.
Perform thorough testing to verify that the modified policy does not hinder the expected functionality.
- 13.
Keep track of policy changes and regularly review them to ensure ongoing compliance with the RBI Cyber Security Framework guidelines.
By following these steps, you can ensure that IAM policies do not grant full access to any service as required by the RBI Cyber Security Framework.