Skip to main content
Version: 3.2.6

How to Find AWS IAM policies with full administrative privileges

Problem

IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege—that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks instead of allowing full administrative privileges. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.

info

This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity medium.

Prerequisites

This guide assumes that you have already installed and configured Resoto to collect your AWS cloud resources.

Directions

  1. Execute the following search command in Resoto Shell or Resoto UI:

    > search is(aws_iam_policy) and policy_document.document.Statement[*].{Effect=Allow and (Action="*" and Resource="*")} and policy_attachment_count>0
    ​kind=aws_iam_policy, ..., region=resoto-poweruser
    ​kind=aws_iam_policy, ..., account=poweruser-team
  2. Pipe the search command into the dump command:

    > search is(aws_iam_policy) and policy_document.document.Statement[*].{Effect=Allow and (Action="*" and Resource="*")} and policy_attachment_count>0 | dump
    ​reported:
    ​ id: /aws/iam/123
    ​ name: some-name
    ​ ctime: '2022-12-05T22:53:14Z'
    ​ kind: aws_iam_policy
    ​ age: 2mo28d

    The command output will list the details of all non-compliant aws_iam_policy resources.

  3. Fix detected issues by following the remediation steps:

    • Start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.
    • List policies to analyze if permissions are the least possible to conduct business activities.
    note

    Please refer to the AWS IAM documentation for details.

Further Reading