IAM policies are the means by which privileges are granted to users, groups, and roles. Standard security practice is to grant least privilege‚ this is granting only the permissions required to perform a task. Providing full administrative may expose resources to potentially unwanted actions.
- You determine what users need to do, then craft policies allowing them to perform only those tasks.
- You do not allow all users full administrative privileges.
- You start with a minimum set of permissions and grant additional permissions as necessary.
- IAM policies that have a statement with Effect: Allow with Action: over Resource: are removed.
To detach the policy that has full administrative privileges, follow these steps:
- Log in to the AWS Management Console at https://console.aws.amazon.com/.
- Open the Amazon IAM console.
- In the navigation pane, click Policies and then search for the policy name found in the audit step.
- Select the policy to be deleted.
- In the Policy Action menu, select first Detach.
- Select all Users, Groups, and Roles that have this policy attached.
- Click Detach Policy.
- In the Policy Action menu, select Detach.
To detach the policy that has full administrative privileges as found in the audit step, use the following commands:
- Lists all IAM users, groups, and roles that the specified managed policy is attached to.
aws iam list-entities-for-policy --policy-arn <policy_arn>
- Detach the policy from all IAM Users.
aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>
- Detach the policy from all IAM Groups.
aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>
- Detach the policy from all IAM Roles.
aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>
Updated 9 months ago