Ensure there are no Amazon IAM groups with administrator (privileged) permissions available in your AWS cloud account in order to adhere to IAM security best practices and implement the Principle of Least Privilege (the practice of providing every user, process, or system the minimal amount of access required to perform its tasks). A privileged IAM group allows its users admin access to all AWS services and resources. A privileged IAM group is an IAM identity that allows its users full access to AWS cloud services and resources through the "AdministratorAccess" managed policy.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When a privileged IAM user within an IAM group configured with administrator-level permissions (i.e. has authorization to modify or remove any resource, access any available data in the cloud environment, and use any AWS service or component) is used by an inexperienced person, their actions can lead to severe security issues such as data leaks, data loss, or unexpected charges on your AWS bill.
As an example, this conformity rule demonstrates how to check for the "AdministratorAccess" policy, an AWS-managed policy that allows access to all AWS cloud services and resources. However, if your Amazon IAM groups have customer-managed policies, search the attached policies for administrator-level permissions, represented by "Effect": "Allow" and the presence of any of the following actions: "Action": "Delete*", "Action": "Create*","Action": "Update*", or "Action": "*".
Audit
To determine if there are IAM groups with administrative permissions available within your AWS cloud account, perform the following operations:
Remediation / Resolution
To adhere to Amazon IAM security best practices and implement the Principle of Least Privilege (POLP) for your privileged IAM groups, perform the following operations:
References
- AWS Documentation
- Security best practices in IAM
- AWS security audit guidelines
- AWS managed policies for job functions
- IAM groups
- Managing IAM groups
- Attaching a policy to an IAM group
- AWS Command Line Interface (CLI) Documentation
- list-groups
- list-attached-group-policies
- detach-group-policy
- put-group-policy