Logo of Trend Micro

RAM Policies With Full Administrative Privileges

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (act today)
Rule ID: AlibabaCloud-RAM-011

Ensure there are no custom Resource Access Management (RAM) policies that allow full administrative privileges available in your Alibaba Cloud account, in order to follow the Principle of Least Privilege (POLP) and provide the RAM users, groups, and roles associated with these policies the minimal amount of access required to perform their tasks. A custom RAM policy that provides full administrative permissions is a policy that contains the following combination of elements: "Effect": "Allow", "Action": "", "Resource": "".

Security

Providing full administrative privileges instead of restricting the access to the minimum set of permissions can expose your AWS cloud resources to potentially unwanted actions. Trend Vision One™ strongly recommends creating and using custom RAM policies that implement the Principle of Least Privilege (i.e. providing the minimal set of actions required to perform successfully the designated tasks) instead of using overly permissive policies.

Audit

To determine if there are any custom RAM policies that allow full administrative privileges available in your Alibaba Cloud account, perform the following actions:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

03 In the left navigation panel, under Permissions, choose Policies.

04 For Policy Type, choose Custom Policy to list only the custom RAM policies available in your cloud account.

05 Click on the name (link) of the RAM policy that you want to examine, listed in the Policy Name column.

06 Select the References tab and check for any RAM identity (user, group, or role) attached to the selected policy. If one or more identities are attached to the policy, continue the Audit process with the next step.

07 Select the Policy Document tab and search for any policy statements with the following combination of elements: "Effect": "Allow", "Action": "*", "Resource": "*", without any "Condition" blocks. If the verified policy uses the specified combination of elements, the selected RAM policy allows full administrative privileges, therefore the policy does not follow the cloud security best practices and should be decommissioned (detached from any RAM identities).

08 Repeat steps no. 5 – 7 for each custom RAM policy available in your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run ListPolicies command (OSX/Linux/UNIX) with custom output filters to list the name of each custom RAM policy available within your Alibaba Cloud account: 

aliyun ram ListPolicies 
  --PolicyType Custom 
  --output cols=PolicyName

02 The command output should return a list with the requested RAM policy identifiers: 

PolicyName
----------
tm-project-access-policy
tm-deploy-access-policy

03 Run GetPolicy command (OSX/Linux/UNIX) with the name of the custom RAM policy user that you want to examine as the identifier parameter, to describe the policy configuration information (including the policy document): 

aliyun ram GetPolicy 
  --PolicyName tm-project-access-policy 
  --PolicyType Custom

04 The command output should return the requested configuration information: 

{
	"Policy": {
		"UpdateDate": "2024-01-22T09:21:35Z",
		"PolicyType": "Custom",
		"Description": "",
		"AttachmentCount": 2,
		"DefaultVersion": "v1",
		"PolicyName": "tm-project-access-policy",
		"CreateDate": "2024-01-22T09:21:35Z"
	},
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"DefaultPolicyVersion": {
		"VersionId": "v1",
		"IsDefaultVersion": true,
		"CreateDate": "2024-01-22T09:21:35Z",
		"PolicyDocument": {
			"Version": "1",
			"Statement": [
				{
					"Effect": "Allow",
					"Action": "*",
					"Resource": "*"
				}
			]
		}
	}
}

Check the "AttachmentCount" attribute value to determine if there are any RAM identities (users, groups, or roles) attached to the selected policy. If the "AttachmentCount" value is different than 0 (zero), the policy is attached to one or more identities, therefore you can continue the Audit process and search the policy document for administrative privileges. Check the "PolicyDocument" attribute value for any policy statements with the following combination of elements: "Effect": "Allow", "Action": "*", "Resource": "*", without any "Condition" blocks. If the verified policy uses the specified combination of elements, the selected RAM policy allows full administrative privileges, therefore the policy does not follow the cloud security best practices and should be decommissioned.

05 Repeat steps no. 3 and 4 for each custom RAM policy available within your Alibaba Cloud account.

Remediation / Resolution

To detach custom policies that provide full administrative privileges from RAM identities and decommission them, perform the following actions:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Resource Access Management (RAM) console at https://ram.console.aliyun.com/overview.

03 In the left navigation panel, under Permissions, choose Policies.

04 For Policy Type, choose Custom Policy to list only the custom RAM policies available in your cloud account.

05 Click on the name (link) of the RAM policy that provides full administrative privileges, listed in the Policy Name column.

06 Choose the References tab, select all the RAM identities (including users, groups, and roles) associated with the custom policy, and choose Revoke Permission to detach all identities from the selected policy. Choose Revoke Permission for confirmation.

07 (Optional) You can also modify the policy document to remove the statements that allow full administrative privileges. Select the Policy Document tab, choose Modify Policy Document, remove any statements with the following combination of elements: "Effect": "Allow", "Action": "*", and "Resource": "*", select Next to edit policy information, and choose OK.

08 Repeat steps no. 5 - 7 for each overly permissive RAM policy available in your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run ListEntitiesForPolicy command (OSX/Linux/UNIX) to describe the RAM identities (users, groups, and roles) associated with the selected custom policy: 

aliyun ram ListEntitiesForPolicy 
  --PolicyName tm-project-access-policy 
  --PolicyType Custom

02 The command output should return the requested information: 

{
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"Groups": {
		"Group": [
			{
				"GroupName": "tm-project-admin-group",
				"AttachDate": "2024-01-20T00:00:00Z",
				"UserId": "123456789012345678"
			}
		]
	},
	"Roles": {
		"Role": []
	},
	"Users": {
		"User": [
			{
				"UserName": "tm-project-admin",
				"AttachDate": "2024-01-22T10:19:45Z",
				"UserId": "123456789012345678",
				"DisplayName": ""
			}
		]
	}
}

03 Run DetachPolicyFromUser command (OSX/Linux/UNIX) to detach the custom policy that provides full administrative privileges from the selected RAM user: 

aliyun ram DetachPolicyFromUser 
  --PolicyName tm-project-access-policy 
  --PolicyType Custom 
  --UserName tm-project-admin

04 If successful, the output should return the command request ID: 

{"RequestId":"ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"}

05 Run DetachPolicyFromGroup command (OSX/Linux/UNIX) to detach the RAM policy that provides full administrative privileges from the selected user group: 

aliyun ram DetachPolicyFromGroup 
  --PolicyName tm-project-access-policy 
  --PolicyType Custom 
  --GroupName tm-project-admin-group

06 If successful, the output should return the command request ID: 

{"RequestId":"1234ABCD-1234-ABCD-1234-ABCD1234ABCD"}

07 Run DetachPolicyFromRole command (OSX/Linux/UNIX) to detach the custom policy that provides full administrative privileges from the selected RAM role: 

aliyun ram DetachPolicyFromRole 
  --PolicyName tm-project-access-policy  
  --PolicyType Custom 
  --RoleName tm-project-admin-role

08 If successful, the output should return the command request ID: 

{"RequestId":"ABCD1234-1234-ABCD-1234-ABCD1234ABCD"}

09 Repeat steps no. 1 - 8 for each overly permissive RAM policy available in your Alibaba Cloud account.

References

Publication date Feb 23, 2024

Related AlibabaCloud-RAM rules