Use the Conformity Knowledge Base AI to help improve your Cloud Posture

IAM Users Unauthorized to Edit Access Policies

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: IAM-037

Identify any Amazon IAM users that are not authorized to edit IAM policies and decommission them in order to protect against unapproved access. Prior to running this conformity rule by the Cloud Conformity engine you need to specify the identifiers of all IAM users authorized to edit IAM policies within your AWS account, represented by a list of valid IAM user ARNs (e.g. arn:aws:iam::123456789012:user/username). If not specified, any IAM user with permission to edit IAM access policies would be highlighted as risk.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Allowing illegitimate AWS IAM users to edit access policies can lead to serious (intentional or unintentional) security breaches. To prevent any unauthorized requests made to edit IAM access policies within your AWS account, restrict access only to trusted IAM users.


Audit

To identify any unauthorized IAM users that have the permission to edit IAM access policies, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Click on the AWS IAM user that you want to examine.

05 On the IAM user Summary page, select the Permissions tab from the bottom panel.

06 Inside the Managed/Inline Policies section, click on the policy name (link) to open the attached IAM policy.

07 Click on {} JSON button to access the selected policy document in JSON format.

08 To identify the necessary actions that allow the user to edit IAM policies by analyzing the policy document, perform the following:

  1. Within the policy document box, search for the following Action value with the Effect element set to Allow:
    • "iam:*"
  2. Within the policy document box, search for the following set of Actions with an Allow effect:
    • "iam:CreatePolicy"
    • "iam:CreatePolicyVersion"
    • "iam:DeleteGroupPolicy"
    • "iam:DeletePolicy"
    • "iam:DeletePolicyVersion"
    • "iam:DeleteRolePolicy"
    • "iam:DeleteUserPolicy"
    • "iam:DetachGroupPolicy"
    • "iam:DetachRolePolicy"
    • "iam:DetachUserPolicy"
    • "iam:PutGroupPolicy"
    • "iam:PutRolePolicy"
    • "iam:PutUserPolicy"
    • "iam:UpdateAssumeRolePolicy"

09 If the IAM policy has the actions outlined at step no. 8 a. and/or b., go back to the IAM user Summary page and locate the Amazon Resource Name (ARN) of the selected user, listed as the value of the User ARN attribute (e.g. arn:aws:iam::123456789012:user/username).

10 Sign in to your Cloud Conformity console, access the conformity rule settings and compare the user identifier (ARN) found at the previous step against each identifier listed in the rule configuration section. If the ARN found at the previous step does not match any of the user ARNs listed on your Cloud Conformity console, the selected AWS IAM user is not authorized to edit IAM access policies, therefore it should be decommissioned.

11 Repeat steps no. 4 - 10 to verify other Amazon IAM users for unauthorized permissions to edit access policies.

Using AWS CLI

01 Run list-users command (OSX/Linux/UNIX) using custom query filters to list the names of all IAM users currently available within your AWS account:

aws iam list-users
	--output table
	--query 'Users[*].UserName'

02 The command output should return a table with the requested IAM user identifiers:

-----------------------
|      ListUsers      |
+---------------------+
|  cc-iam-test-admin  |
|  ec2-manager        |
|  ...                |
|  redshift-manager   |
|  iam-full-access    |
+---------------------+

03 To get the name of the access policy attached to the selected IAM user, run list-user-policies command (OSX/Linux/UNIX) using the name of the IAM user that you want to examine as identifier:

aws iam list-user-policies
	--user-name cc-iam-test-admin
	--output table
	--query 'PolicyNames'

04 The command output should return a table that contains the name of the policy (or policies) attached to the specified IAM user:

-------------------------
|   ListUserPolicies    |
+-----------------------+
|  IAMCustomFullAccess  |
+-----------------------+

05 Run get-user-policy command (OSX/Linux/UNIX) using the name of the access policy that you want to examine as identifier to describe the selected IAM policy document:

aws iam get-user-policy
	--user-name cc-iam-test-admin
	--policy-name IAMCustomFullAccess
	--query 'PolicyDocument'

06 The command output should return the requested IAM policy document:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "iam:CreatePolicy",
                "iam:CreatePolicyVersion",
                "iam:DeleteGroupPolicy",
                "iam:DeletePolicy",
                "iam:DeletePolicyVersion",
                "iam:DeleteRolePolicy",
                "iam:DeleteUserPolicy",
                "iam:DetachGroupPolicy",
                "iam:DetachRolePolicy",
                "iam:DetachUserPolicy",
                "iam:PutGroupPolicy",
                "iam:PutRolePolicy",
                "iam:PutUserPolicy",
                "iam:UpdateAssumeRolePolicy"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

07 To identify the necessary actions that allow the user to edit IAM policies by analyzing the policy document, perform the following:

  1. Within the policy document box, search for the following Action value with the Effect element set to Allow:
    • "iam:*"
  2. Within the policy document box, search for the following set of Actions with an Allow effect:
    • "iam:CreatePolicy"
    • "iam:CreatePolicyVersion"
    • "iam:DeleteGroupPolicy"
    • "iam:DeletePolicy"
    • "iam:DeletePolicyVersion"
    • "iam:DeleteRolePolicy"
    • "iam:DeleteUserPolicy"
    • "iam:DetachGroupPolicy"
    • "iam:DetachRolePolicy"
    • "iam:DetachUserPolicy"
    • "iam:PutGroupPolicy"
    • "iam:PutRolePolicy"
    • "iam:PutUserPolicy"
    • "iam:UpdateAssumeRolePolicy"

08 If the IAM policy listed at step no. 6 has the actions outlined at step no. 8 a. and/or b., run get-user command (OSX/Linux/UNIX) to expose the Amazon Resource Name (ARN) of the selected user:

aws iam get-user
	--user-name cc-iam-test-admin
	--query 'User.Arn'

09 The command output should return the requested Amazon ARN:

"arn:aws:iam::123456789012:user/cc-iam-test-admin"

10 Sign in to your Cloud Conformity console, access the conformity rule settings and compare the user ARN returned at the previous step against each ARN listed within the rule configuration section. If the ARN found does not match any of the user ARNs listed on your Cloud Conformity console, the selected AWS IAM user is not authorized to edit IAM access policies, therefore it should be deactivated.

11 Repeat steps no. 3 - 10 to verify other Amazon IAM users for unauthorized permissions to edit IAM access policies.

Remediation/Resolution

To decommission any unauthorized IAM users that have the permission to edit IAM access policies within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Users.

04 Click on the AWS IAM user that you want to deactivate (see Audit section part I to identify the right IAM resource).

05 On the selected user Summary page, select the Permissions tab from the bottom panel.

06 Find the necessary access policy (see Audit section part I to identify the right policy) and remove it from the selected IAM user access configuration by clicking the x icon available next to the policy entry:

x icon

07 Within the Remove policy dialog box, click Remove to confirm the action. Once the specified policy is removed, the selected IAM user loses the privilege to edit any access policies available in your AWS account.

08 Repeat steps no. 3 – 7 to decommission other unauthorized AWS IAM users that have permission to edit IAM access policies.

Using AWS CLI

01 Run delete-user-policy command (OSX/Linux/UNIX) using the name of the IAM user that you want to deactivate as identifier (see Audit section part II to identify the right IAM user) to remove the required policy from the selected AWS IAM user access configuration. The following command examples removes an access policy identified by the name "IAMCustomFullAccess" from an IAM user called "cc-iam-test-admin" (the command does not produce an output):

aws iam delete-user-policy
	--user-name cc-iam-test-admin
	--policy-name IAMCustomFullAccess

02 Repeat step no. 1 to decommission other unauthorized AWS IAM users that have permission to edit IAM access policies within your AWS account.

References

Publication date Jun 21, 2017