IAM policies that allow full "*:*" administrative privileges are not created
Incident Management is now generally available! Incident Management is now generally available!
<  Back to rules search

IAM policies that allow full "*:*" administrative privileges are not created

iam

Classification:

compliance

Overview

Description

IAM policies are how privileges are granted to users, groups, or roles. It is recommended and considered best practice to give only the permissions required to perform a task. Determine what users need to do and then craft policies that let the users perform only those tasks, instead of allowing full administrative privileges.

Rationale

It’s more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions. IAM policies that have a statement with “Effect”: “Allow” with “Action”: “” over “Resource”: “” should be removed.

Remediation

See the CIS AWS Foundations Benchmark controls docs for console remediation steps.

Impact

None

Default Value

None

References

  1. http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
  2. http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html
  3. CCE-78912-3
  4. http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam

CIS Controls

4 Controlled Use of Administrative Privileges

2 Logging This section contains recommendations for configuring AWS’s account logging features