Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Deprecated Managed Policies in Use

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that deprecated AWS-managed policies are replaced with new ones, approved by Amazon IAM, in order to avoid any potential security risks associated with the deprecated policies. A managed policy marked as deprecated continues to work for all currently attached IAM users, groups, and roles, however, it cannot be attached to any new users, groups or roles, and if you detach it from the current IAM entity, you cannot reattach it. Trend Cloud One™ – Conformity keeps an up-to-date list of all deprecated IAM-managed policies to help you with mitigation.

Security

Continuing to use the deprecated AWS-managed policy can carry risks that are mitigated only by switching to the replacement policy. If an IAM user, group, or role within your AWS cloud account still requires the deprecated managed policy, follow the steps outlined in Remediation section to attach the replacement policy instead.

Note: As an example, this conformity rule demonstrates how to identify and replace "AmazonElasticTranscoderFullAccess" deprecated policy with a replacement managed policy named "AmazonElasticTranscoder_FullAccess". "AmazonElasticTranscoderFullAccess" managed policy has been marked as deprecated because the policy is potentially granting admin access to self or any other IAM roles, failing to follow the Principle of Least Privilege (POLP).


Audit

To determine if there are any deprecated AWS-managed policies in use within your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Policies.

04 Select AWS managed from the Filter policies dropdown menu to list only the AWS-managed policies.

05 Find the deprecated AWS-managed policy. A deprecated policy appears with a warning icon next to it.

06 Click on the name of the IAM policy marked as deprecated (in this case, AmazonElasticTranscoderFullAccess) to access the policy configuration.

07 Select the Policy usage tab and verify the Permissions section to check for IAM identities (users, roles, and groups) associated with the deprecated policy. If the deprecated policy is associated with one or more IAM identities, the selected AWS-managed policy is currently in use and it should be replaced with a new, compliant one.

08 Repeat steps no. 5 – 7 for each deprecated AWS-managed policy available within your AWS account.

Using AWS CLI

01 Run list-policies command (OSX/Linux/UNIX) to list the names of the AWS-managed policies attached to IAM identities such as IAM users, groups, and roles, available in your AWS account:

aws iam list-policies
  --scope AWS
  --only-attached
  --output table
  --query 'Policies[*].PolicyName'

02 The command output should return a table with the requested policy names:

----------------------------------------------
|                ListPolicies                |
+--------------------------------------------+
|  AmazonElasticTranscoderFullAccess         |
|  AWSElasticLoadBalancingServiceRolePolicy  |
|  AWSSupportServiceRolePolicy               |
|  AWSTrustedAdvisorServiceRolePolicy        |
+--------------------------------------------+

If the table returned by the list-policies command output contains a policy named AmazonElasticTranscoderFullAccess, the deprecated AWS-managed policy identified by the name AmazonElasticTranscoderFullAccess is currently in use within your AWS account and it should be replaced with a new one approved by Amazon IAM.

03 Repeat step no. 2 for each deprecated AWS-managed policy available within your AWS account.

Remediation / Resolution

To change the deprecated AWS-managed policies with their compliant replacements for your IAM identities, perform the following operations:

Using AWS CloudFormation

- For IAM users:

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Deprecated Managed Policies in Use",
	"Resources": {
		"IAMUser": {
			"Type": "AWS::IAM::User",
			"Properties": {
				"UserName": "cc-project5-admin",
				"Path": "/",
				"ManagedPolicyArns": [ "arn:aws:iam::aws:policy/AmazonElasticTranscoderFullAccess" ]
				"ManagedPolicyArns": [ "arn:aws:iam::aws:policy/AmazonElasticTranscoder_FullAccess" ]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description:Deprecated Managed Policies in Use
	Resources:
	IAMUser:
		Type: AWS::IAM::User
		Properties:
		UserName: cc-project5-admin
		Path: /
		ManagedPolicyArns:
			- arn:aws:iam::aws:policy/AmazonElasticTranscoderFullAccess
			- arn:aws:iam::aws:policy/AmazonElasticTranscoder_FullAccess

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

	terraform {
		required_providers {
			aws = {
				source  = "hashicorp/aws"
				version = "~> 4.0"
			}
		}
		required_version = ">= 0.14.9"
	}

	provider "aws" {
		profile = "default"
		region  = "us-east-1"
	}

	resource "aws_iam_user" "iam-user" {
		name = "cc-project5-admin"
		path =  "/"
	}

	resource "aws_iam_user_policy_attachment" "iam-user-attachment" {
		user       = aws_iam_user.iam-user.name
		policy_arn = "arn:aws:iam::aws:policy/AmazonElasticTranscoderFullAccess"
		policy_arn = "arn:aws:iam::aws:policy/AmazonElasticTranscoder_FullAccess"
	}

Using AWS CloudFormation

- For IAM groups:

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Deprecated Managed Policies in Use",
	"Resources": {
		"IAMGroup": {
			"Type": "AWS::IAM::Group",
			"Properties": {
				"GroupName": "cc-project5-user-group",
				"Path": "/",
				"ManagedPolicyArns": [ "arn:aws:iam::aws:policy/AmazonElasticTranscoderFullAccess" ]
				"ManagedPolicyArns": [ "arn:aws:iam::aws:policy/AmazonElasticTranscoder_FullAccess" ]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Deprecated Managed Policies in Use
	Resources:
	IAMGroup:
		Type: AWS::IAM::Group
		Properties:
		GroupName: cc-project5-user-group
		Path: /
		ManagedPolicyArns:
			- arn:aws:iam::aws:policy/AmazonElasticTranscoderFullAccess
			- arn:aws:iam::aws:policy/AmazonElasticTranscoder_FullAccess

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

	terraform {
		required_providers {
			aws = {
				source  = "hashicorp/aws"
				version = "~> 4.0"
			}
		}
		required_version = ">= 0.14.9"
	}

	provider "aws" {
		profile = "default"
		region  = "us-east-1"
	}

	resource "aws_iam_group" "iam-group" {
		name = "cc-project5-user-group"
		path = "/"
	}

	resource "aws_iam_group_policy_attachment" "group-policy-attach" {
		group      = aws_iam_group.iam-group.name
		policy_arn = "arn:aws:iam::aws:policy/AmazonElasticTranscoderFullAccess"
		policy_arn = "arn:aws:iam::aws:policy/AmazonElasticTranscoder_FullAccess"
	}

Using AWS CloudFormation

- For IAM roles:

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Deprecated Managed Policies in Use",
	"Resources": {
		"InstanceRole": {
			"Type": "AWS::IAM::Role",
			"Properties": {
				"RoleName": "cc-project5-iam-role",
				"AssumeRolePolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Principal": {
								"Service": [
									"ec2.amazonaws.com"
								]
							},
							"Action": [
								"sts:AssumeRole"
							]
						}
					]
				},
				"Path": "/",
				"ManagedPolicyArns": [ "arn:aws:iam::aws:policy/AmazonElasticTranscoderFullAccess" ]
				"ManagedPolicyArns": [ "arn:aws:iam::aws:policy/AmazonElasticTranscoder_FullAccess" ]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Deprecated Managed Policies in Use
	Resources:
	InstanceRole:
		Type: AWS::IAM::Role
		Properties:
		RoleName: cc-project5-iam-role
		AssumeRolePolicyDocument:
			Version: '2012-10-17'
			Statement:
			- Effect: Allow
				Principal:
				Service:
					- ec2.amazonaws.com
				Action:
				- sts:AssumeRole
		Path: /
		ManagedPolicyArns:
			- arn:aws:iam::aws:policy/AmazonElasticTranscoderFullAccess
			- arn:aws:iam::aws:policy/AmazonElasticTranscoder_FullAccess

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

	terraform {
		required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
		}
		required_version = ">= 0.14.9"
	}

	provider "aws" {
		profile = "default"
		region  = "us-east-1"
	}

	resource "aws_iam_role" "iam-role" {
		name = "cc-project5-iam-role"
		path = "/"
		assume_role_policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Action": "sts:AssumeRole",
				"Principal": {
					"Service": "ec2.amazonaws.com"
				},
				"Effect": "Allow"
			}
		]
	}
	EOF

		managed_policy_arns = [ "arn:aws:iam::aws:policy/AmazonElasticTranscoderFullAccess" ]
		managed_policy_arns = [ "arn:aws:iam::aws:policy/AmazonElasticTranscoder_FullAccess" ]

	}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Policies.

04 Select AWS managed from the Filter policies dropdown menu to list only the AWS-managed policies.

05 Click on the name of the deprecated AWS-managed policy.

06 Select the Policy usage tab and copy the names of the IAM identities (users, groups, roles) listed in the Permissions section.

07 Select all the IAM identities associated with the deprecated policy and choose Detach.

08 Inside the Detach policy confirmation box, choose Detach to detach the identities from the selected policy.

09 In the navigation panel, under Access management, choose Policies.

10 Paste the name of the replacement policy in the Search box and press Enter. In this case, the name of the replacement policy is AmazonElasticTranscoder_FullAccess.

11 Click on the name of the replacement policy to access the managed policy configuration.

12 Select the Policy usage tab and choose Attach to attach the selected policy to the necessary identities.

13 On the Attach policy page, paste the name of the IAM identity copied at step no. 6 in the Search box, select the identity, then click Attach policy button to attach it to the managed policy. Repeat this step for all the Amazon IAM identities identified at step no. 6.

14 Repeat steps no. 3 – 13 to replace other deprecated AWS-managed policies, available within your AWS account.

Using AWS CLI

01 Run list-entities-for-policy command (OSX/Linux/UNIX) to list the names of the IAM identities (users, groups, and/or roles) associated with the deprecated AWS-managed policy that you want to replace:

aws iam list-entities-for-policy
  --policy-arn arn:aws:iam::aws:policy/AmazonElasticTranscoderFullAccess

02 The command output should return the requested information:

{
	"PolicyGroups": [
		{
			"GroupName": "cc-etr-user-group",
			"GroupId": "ABCDABCDABCDABCDABCDABCD"
		}
	],
	"PolicyUsers": [
		{
			"UserName": "cc-transcoder-user",
			"UserId": "ABCD1234ABCD234ABCD1234"
		}
	],
	"PolicyRoles": [
		{
			"RoleName": "cc-elastic-transcoder-role",
			"RoleId": "1234ABCD1234ABCD1234ABCD"
		}
	]
}

03 To replace a deprecated AWS-managed policy, you must detach it from the associated IAM identities. Based on the type of the IAM identity that you want to reconfigure, perform one of the following commands:

  1. For Amazon IAM users:
    - Run detach-user-policy command (OSX/Linux/UNIX) to detach the deprecated AWS-managed policy (in this case, AmazonElasticTranscoderFullAccess) from the selected IAM user (the command does not produce an output):
    aws iam detach-user-policy
      --user-name cc-transcoder-user
      --policy-arn arn:aws:iam::aws:policy/AmazonElasticTranscoderFullAccess
    
  2. For Amazon IAM roles:
    - Run detach-role-policy command (OSX/Linux/UNIX) to detach the deprecated AWS managed policy from the selected IAM role (if successful, the command does not produce an output):
    aws iam detach-role-policy
      --role-name cc-elastic-transcoder-role
      --policy-arn arn:aws:iam::aws:policy/AmazonElasticTranscoderFullAccess
    
  3. For Amazon IAM groups:
    - Run detach-group-policy command (OSX/Linux/UNIX) to detach the specified deprecated AWS-managed policy from the selected IAM group (the command does not produce an output):
    aws iam detach-group-policy
      --group-name cc-etr-user-group
      --policy-arn arn:aws:iam::aws:policy/AmazonElasticTranscoderFullAccess
    

04 Attach the replacement policy (in this case, AmazonElasticTranscoder_FullAccess) to the same IAM identities configured at the previous step. Based on the type of the identity that you want to reconfigure, execute one of the following commands:

  1. For Amazon IAM users:
    - Run attach-user-policy command (OSX/Linux/UNIX) to attach the replacement AWS-managed policy to the selected IAM user (the command does not produce an output):
    aws iam attach-user-policy
      --user-name cc-transcoder-user
      --policy-arn arn:aws:iam::aws:policy/AmazonElasticTranscoder_FullAccess
    
  2. For Amazon IAM roles:
    - Run attach-role-policy command (OSX/Linux/UNIX) to attach the replacement policy to the selected IAM role (if successful, the command does not produce an output):
    aws iam attach-role-policy
      --role-name cc-elastic-transcoder-role
      --policy-arn arn:aws:iam::aws:policy/AmazonElasticTranscoder_FullAccess
    
  3. For Amazon IAM groups:
    - Run attach-group-policy command (OSX/Linux/UNIX) to attach the replacement AWS-managed policy to the selected IAM group (the command does not produce an output):
    aws iam attach-group-policy
      --group-name cc-etr-user-group
      --policy-arn arn:aws:iam::aws:policy/AmazonElasticTranscoder_FullAccess
    

05 Repeat steps no. 1 – 4 to replace other deprecated AWS-managed policies, available in your AWS account.

References

Publication date Aug 31, 2018