IAM policies should not have full “*
:*
” administrative privileges¶
Description¶
IAM policies should start with a minimum set of permissions and include more as needed rather than starting with full administrative privileges. Providing full administrative privileges when unnecessary exposes resources to potentially unwanted actions.
Remediation Steps¶
AWS Console¶
Navigate to Identity and Access Management.
In the left navigation, select Policies.
Select the Policy and edit the document to define only the necessary permissions to ensure least privilege.
Repeat for each policy that allows for Allow and Action set to
*
and Resource set to*
.
AWS CLI¶
List all IAM users, groups, and roles that the specified managed policy is attached to:
aws iam list-entities-for-policy --policy-arn <policy_arn>
Detach the policy from all IAM Users:
aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>
Detach the policy from all IAM Groups:
aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>
Detach the policy from all IAM Roles:
aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>
CloudFormation¶
JSON¶
Ensure that IAM policy definitions in AWS::IAM::Policy, AWS::IAM::Group, AWS::IAM::Role, or AWS::IAM::User resources do not have
Effect
set toAllow
andAction
andResource
set to*
in aPolicyDocument
block.
JSON Example Configuration¶
{
"ValidRole01": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
# other required fields here
}
},
"ValidPolicy01": {
"Type": "AWS::IAM::Policy",
"Properties": {
"Roles": [
{ "Ref": "ValidRole01" }
],
"PolicyName": "valid_policy_01",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"ec2:StartInstances"
],
"Resource": [
"*"
]
}
}
# other required fields here
}
}
}
YAML¶
Ensure that IAM policy definitions in AWS::IAM::Policy, AWS::IAM::Group, AWS::IAM::Role, or AWS::IAM::User resources do not have
Effect
set toAllow
andAction
andResource
set to*
in aPolicyDocument
block.
YAML Example Configuration¶
ValidRole01:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: ['ec2.amazonaws.com']
Action:
- sts:AssumeRole
# other required fields here
ValidPolicy01:
Type: AWS::IAM::Policy
Properties:
Roles:
- !Ref ValidRole01
PolicyName: valid_policy_01
PolicyDocument:
Version: '2012-10-17'
Statement:
Effect: Allow
Action:
- 'ec2:StartInstances'
Resource:
- '*'
# other required fields here
Terraform¶
Ensure that IAM policy definitions in aws_iam_policy resources, or inline with aws_iam_group_policy, aws_iam_role_policy, and aws_iam_user_policy resources do not have Effect
set to “Allow” and Action
and Resource
set to *
in the policy
block.