How to Find AWS IAM Policies with Full Administrative Privileges
IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant only the permissions required.
Determine what users need to do and then craft policies for them that let the users perform only those tasks instead of allowing full administrative privileges. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.
This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity medium.
Prerequisites
This guide assumes that you have already installed and configured Fix Inventory to collect your AWS resources.
Directions
-
Execute the following
search
command in Fix Inventory Shell:> search is(aws_iam_policy) and policy_document.document.Statement[*].{Effect=Allow and (Action="*" and Resource="*")} and policy_attachment_count>0
kind=aws_iam_policy, ..., region=fixinventory-poweruser
kind=aws_iam_policy, ..., account=poweruser-team -
Pipe the
search
command into thedump
command:> search is(aws_iam_policy) and policy_document.document.Statement[*].{Effect=Allow and (Action="*" and Resource="*")} and policy_attachment_count>0 | dump
reported:
id: /aws/iam/123
name: some-name
ctime: '2022-12-05T22:53:14Z'
kind: aws_iam_policy
age: 2mo28dThe command output will list the details of all non-compliant
aws_iam_policy
resources.
Remediation
- Start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.
- List policies to analyze if permissions are the least possible to conduct business activities.
Please refer to the AWS IAM documentation for details.