IAM Policy Rule for No Admin Access Statements
This rule ensures IAM policy does not contain admin access statements.
| Rule | IAM policy should not have statements with admin access |
| Framework | RBI Cyber Security Framework |
| Severity | ✔ High |
Description:
The RBI (Reserve Bank of India) Cyber Security Framework is a set of guidelines and regulations aimed at ensuring the security of financial institutions in India. As part of this framework, it is crucial to limit access privileges and prevent accounts from having administrative access in IAM policies. This rule/policy ensures that IAM policies do not contain statements granting admin access, thereby enhancing the security posture of the organization.
Troubleshooting Steps:
If there are IAM policies that violate this rule, follow these steps to troubleshoot and remediate the issue:
- 1.
Identify the IAM policies: Obtain a list of all IAM policies in the organization.
- 2.
Review the policies: Analyze each IAM policy to identify any statements that provide admin access.
- 3.
Validate the access requirement: Determine if the admin access provided in the IAM policy is necessary for the user or service associated with it. If not, proceed to remediation steps. If it is required, document the justification for future reference.
Remediation:
To remediate the issue where an IAM policy provides admin access:
- 1.
Open the AWS Management Console and navigate to the IAM service.
- 2.
Identify the IAM policy requiring modification.
- 3.
Click on the policy name to open its details.
- 4.
Select the "Edit policy" button to modify the policy's JSON document.
- 5.
Locate the statement providing admin access within the JSON structure.
- 6.
Remove the admin access statement or replace it with more granular permissions as required.
- 7.
Save the changes to the IAM policy.
- 8.
Review the updated policy to ensure it meets the requirements outlined by the RBI Cyber Security Framework.
- 9.
Repeat the steps for any other IAM policies that require modification.
Note: Document all the changes made to IAM policies for auditing and compliance purposes.
Additional Recommendations:
- 1.
Regularly review and update IAM policies to ensure they align with the organization's security standards and comply with the RBI Cyber Security Framework.
- 2.
Use AWS IAM Access Analyzer to identify any unintended access and potential violations of the RBI Cyber Security Framework.
- 3.
Implement least privilege access by providing users and services only the permissions required for their respective tasks.
- 4.
Monitor and log IAM policy changes to detect any unauthorized modifications.
- 5.
Consider implementing automated policy validation and compliance checks using AWS Config Rules or third-party tools to prevent policy violations in the future.
- 6.
Provide appropriate training and awareness programs to employees and stakeholders regarding the importance of adhering to IAM policy guidelines.
Conclusion:
By ensuring that IAM policies do not contain statements with admin access, organizations can maintain compliance with the RBI Cyber Security Framework. This proactive measure helps to mitigate potential security risks associated with excessive privileges and enhances the overall security posture of financial institutions in India.