standard
turbot/aws_cis

Pipeline: 1.16 Ensure IAM policies that allow full "*:*" administrative privileges are not attached

Description

IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.

It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.

Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.

IAM policies that have a statement with "Effect": "Allow" with "Action": "" over "Resource": "" should be removed.

Remediation

From Console:

Perform the following to detach the policy that has full administrative privileges:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, click Policies and then search for the policy name found in the audit step.
  3. Select the policy that needs to be deleted.
  4. In the policy action menu, select first Detach.
  5. Select all Users, Groups, Roles that have this policy attached.
  6. Click Detach Policy.
  7. In the policy action menu, select Detach.

From Command Line:

Perform the following to detach the policy that has full administrative privileges as found in the audit step:

  1. Lists all IAM users, groups, and roles that the specified managed policy is attached to.
aws iam list-entities-for-policy --policy-arn <policy_arn>
  1. Detach the policy from all IAM Users:
aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>
  1. Detach the policy from all IAM Groups:
aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>
  1. Detach the policy from all IAM Roles:
aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>

Run the pipeline

To run this pipeline from your terminal:

flowpipe pipeline run aws_cis.pipeline.cis_v300_1_16

Use this pipeline

To call this pipeline from your pipeline, use a step:

step "pipeline" "step_name" {
pipeline = aws_cis.pipeline.cis_v300_1_16
}

Params

NameTypeRequiredDescriptionDefault
database
connection.steampipe
YesDatabase connection string.connection.steampipe.default
notifier
notifier
YesThe name of the notifier to use for sending notification messages.notifier.default
notification_level
string
YesThe verbosity level of notification messages to send. Valid options are 'verbose', 'info', 'error'.info
approvers
list(notifier)
YesList of notifiers to be used for obtaining action/approval decisions.notifier.default

Outputs

This pipeline has no outputs.

Tags

folder = CIS v3.0.0/1 Identity and Access Management