IAM policy should provide only necessary and specific privileges

Description

IAM policies are how privileges are granted to users, groups, or roles. It is recommended and considered best practice to give only the permissions required to perform a task. Determine what users need to do and then craft policies that let the users perform only those tasks, instead of allowing full administrative privileges.

Rationale

It’s more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions. IAM policies that have a statement with “Effect”: “Allow” with “Action”: “” over “Resource”: “” should be removed.

Remediation

From the console

  1. Sign in to the AWS Management Console.
  2. In the navigation pane, click Policies and then search for the policy name found in the audit step.
  3. Select the policy that needs to be deleted.
  4. In the policy action menu, select Detach.
  5. Select all users, groups, and roles that have this policy attached.
  6. Click Detach Policy.
  7. In the policy action menu, select Detach.

From the command line

  1. Lists all IAM users, groups, and roles that the specified managed policy is attached to.

    aws iam list-entities-for-policy --policy-arn <policy_arn>
    
  2. Detach the policy from all IAM users:

    aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>
    
  3. Detach the policy from all IAM groups:

    aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>  
    
  4. Detach the policy from all IAM roles:

    aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>
    

References

  1. http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
  2. http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html
  3. http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam
  4. https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html