Ensure that deprecated AWS-managed policies are replaced with new ones, approved by Amazon IAM, in order to avoid any potential security risks associated with the deprecated policies. A managed policy marked as deprecated continues to work for all currently attached IAM users, groups, and roles, however, it cannot be attached to any new users, groups or roles, and if you detach it from the current IAM entity, you cannot reattach it. Trend Cloud One™ – Conformity keeps an up-to-date list of all deprecated IAM-managed policies to help you with mitigation.
Continuing to use the deprecated AWS-managed policy can carry risks that are mitigated only by switching to the replacement policy. If an IAM user, group, or role within your AWS cloud account still requires the deprecated managed policy, follow the steps outlined in Remediation section to attach the replacement policy instead.
Note: As an example, this conformity rule demonstrates how to identify and replace "AmazonElasticTranscoderFullAccess" deprecated policy with a replacement managed policy named "AmazonElasticTranscoder_FullAccess". "AmazonElasticTranscoderFullAccess" managed policy has been marked as deprecated because the policy is potentially granting admin access to self or any other IAM roles, failing to follow the Principle of Least Privilege (POLP).
Audit
To determine if there are any deprecated AWS-managed policies in use within your AWS cloud account, perform the following operations:
Remediation / Resolution
To change the deprecated AWS-managed policies with their compliant replacements for your IAM identities, perform the following operations:
References
- AWS Documentation
- AWS IAM FAQs
- Managed Policies and Inline Policies
- Deprecated AWS Managed Policies
- AWS Command Line Interface (CLI) Documentation
- iam
- list-policies
- detach-user-policy
- detach-role-policy
- detach-group-policy
- delete-user-policy
- delete-role-policy
- delete-group-policy