Ensure IAM policies that allow full administrative privileges are not created

1.22 Identity and Access Management (AWS CIS Benchmark).

Description

IAM policies are the means by which privileges are granted to users, groups, or roles.

It is recommended and considered standard security advice to grant these based on the principle of least privilege. In other words, organizations should never grant users, groups, or roles permissions beyond the minimum required to perform a particular task.

Determine what users need to do and then craft policies that let the users perform only those tasks instead of allowing full administrative privileges.

Detach the policy that grants full administrative privileges from users via the AWS Management Console

Step 1. Log in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

Step 2. In the navigation pane, click on Policies and then search for the policy name found in the audit step.

Step 3. Select the policy that needs to be deleted.

Step 4. In the policy action menu, click on Detach.

Step 5. Select all Users, Groups, and Roles that have this policy attached.

Step 6. Click on Detach Policy.

Step 7. In the policy action menu, click on Detach.

Detach the policy that grants full administrative privileges from users via the CLI

Step 1. Lists all IAM users, groups, and roles that the specified managed policy is attached to. aws iam list-entities-for-policy --policy-arn <policy_arn>

Step 2. Detach the policy from all IAM Users: aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>

Step 3. Detach the policy from all IAM Groups: aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>

Step 4. Detach the policy from all IAM Roles: aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>