How to Find AWS IAM policies with full administrative privileges
Problem​
IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege—that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks instead of allowing full administrative privileges. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.
This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity medium.
Prerequisites​
This guide assumes that you have already installed and configured Resoto to collect your AWS cloud resources.
Directions​
Execute the following
searchcommand in Resoto Shell or Resoto UI:> search is(aws_iam_policy) and policy_document.document.Statement[*].{Effect=Allow and (Action="*" and Resource="*")} and policy_attachment_count>0
​kind=aws_iam_policy, ..., region=resoto-poweruser
​kind=aws_iam_policy, ..., account=poweruser-teamPipe the
searchcommand into thedumpcommand:> search is(aws_iam_policy) and policy_document.document.Statement[*].{Effect=Allow and (Action="*" and Resource="*")} and policy_attachment_count>0 | dump
​reported:
​ id: /aws/iam/123
​ name: some-name
​ ctime: '2022-12-05T22:53:14Z'
​ kind: aws_iam_policy
​ age: 2mo28dThe command output will list the details of all non-compliant
aws_iam_policyresources.Fix detected issues by following the remediation steps:
- Start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.
- List policies to analyze if permissions are the least possible to conduct business activities.
notePlease refer to the AWS IAM documentation for details.