IAM policy should provide only necessary and specific privileges

Description

IAM policies define the privileges granted to users, groups, or roles. Best practice recommends granting only the permissions necessary to perform specific tasks. First, identify what users need to accomplish, and then create policies that allow them to perform only those tasks. It’s more secure to start with minimal permissions and add more as needed than to begin with overly permissive settings and restrict them later. Granting full administrative privileges instead of essential permissions can expose resources to potential misuse or compromise. Policies that have a statement with "Effect": "Allow" combined with "Action": "*" over "Resource": "*" should be removed.

Remediation

From the console

  1. Sign in to the AWS Management Console.
  2. In the navigation pane, click Policies and then search for the policy name found in the audit step.
  3. Select the policy that needs to be deleted.
  4. In the policy action menu, select Detach.
  5. Select all users, groups, and roles that have this policy attached.
  6. Click Detach Policy.
  7. In the policy action menu, select Detach.

From the command line

  1. Lists all IAM users, groups, and roles that the specified managed policy is attached to.

    aws iam list-entities-for-policy --policy-arn <policy_arn>
    
  2. Detach the policy from all IAM users:

    aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>
    
  3. Detach the policy from all IAM groups:

    aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>  
    
  4. Detach the policy from all IAM roles:

    aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>
    

References

  1. http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
  2. http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html
  3. http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam
  4. https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html
PREVIEWING: safchain/fix-custom-agent