Identify any Amazon IAM users that are not authorized to edit IAM policies and decommission them in order to protect against unapproved access. Prior to running this conformity rule by the Cloud Conformity engine you need to specify the identifiers of all IAM users authorized to edit IAM policies within your AWS account, represented by a list of valid IAM user ARNs (e.g. arn:aws:iam::123456789012:user/username). If not specified, any IAM user with permission to edit IAM access policies would be highlighted as risk.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Allowing illegitimate AWS IAM users to edit access policies can lead to serious (intentional or unintentional) security breaches. To prevent any unauthorized requests made to edit IAM access policies within your AWS account, restrict access only to trusted IAM users.
Audit
To identify any unauthorized IAM users that have the permission to edit IAM access policies, perform the following actions:
Remediation/Resolution
To decommission any unauthorized IAM users that have the permission to edit IAM access policies within your AWS account, perform the following:
References
- AWS Documentation
- IAM Users
- Managing IAM Users
- Actions and Condition Context Keys for AWS Identity and Access Management
- Actions
- AWS Service Actions and Condition Context Keys for Use in IAM Policies
- IAM Policy Elements Reference
- AWS Command Line Interface (CLI) Documentation
- iam
- list-users
- list-user-policies
- get-user-policy
- get-user
- delete-user-policy