Ensure IAM policies that allow full administrative privileges are not created

Error: IAM policies that allow full administrative privileges are created

Bridgecrew Policy ID: BC_AWS_IAM_23
Checkov Check ID: CKV_AWS_1
Bridgecrew Severity: CRITICAL
Prisma Cloud Severity: HIGH

IAM policies that allow full administrative privileges are created

Description

IAM policies are the means by which privileges are granted to users, groups, and roles. Standard security practice is to grant least privilege‚ this is granting only the permissions required to perform a task. Providing full administrative may expose resources to potentially unwanted actions.
We recommend:

  • You determine what users need to do, then craft policies allowing them to perform only those tasks.
  • You do not allow all users full administrative privileges.
  • You start with a minimum set of permissions and grant additional permissions as necessary.
  • IAM policies that have a statement with Effect: Allow with Action: over Resource: are removed.

Fix - Runtime

AWS Console

To detach the policy that has full administrative privileges, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon IAM console.
  3. In the navigation pane, click Policies and then search for the policy name found in the audit step.
  4. Select the policy to be deleted.
  5. In the Policy Action menu, select first Detach.
  6. Select all Users, Groups, and Roles that have this policy attached.
  7. Click Detach Policy.
  8. In the Policy Action menu, select Detach.

CLI Command

To detach the policy that has full administrative privileges as found in the audit step, use the following commands:

  1. Lists all IAM users, groups, and roles that the specified managed policy is attached to.
aws iam list-entities-for-policy --policy-arn <policy_arn>
  1. Detach the policy from all IAM Users.
   aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn> 
  1. Detach the policy from all IAM Groups.
   aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn> 
  1. Detach the policy from all IAM Roles.
   aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>

Fix - Buildtime

Terraform

Resource: aws_iam_policy

resource "aws_iam_policy" "pass1" {
  name   = "pass1"
  path   = "/"
  policy = <<POLICY
{
  "Statement": [
    {
      "Action": [
        "s3:ListBucket*",
        "s3:HeadBucket",
        "s3:Get*"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::b1",
        "arn:aws:s3:::b1/*",
        "arn:aws:s3:::b2",
        "arn:aws:s3:::b2/*"
      ],
      "Sid": ""
    },
    {
      "Action": "s3:PutObject*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::b1/*",
      "Sid": ""
    }
  ],
  "Version": "2012-10-17"
}
POLICY
}