Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

IAM Group with Administrative Permissions in Use

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure there is an Amazon IAM group that has the types of permissions that administrators typically need, available within your AWS cloud account. Before running this rule by the Conformity engine, the name of the IAM admin group must be specified in the rule settings, on your Trend Cloud One™ – Conformity account console.

Security

An IAM group is a collection of IAM users that you can use to make the access permissions easier to manage. An IAM group that provides administrator-level permissions is a group that has attached an IAM policy with the following statement: "Statement": [ { "Effect": "Allow", "Action": "", "Resource": "" } ]. When an IAM user gets assigned to an admin group, the IAM identity receives automatically the group privileges which grants him the authorization to provision, configure, or remove any AWS cloud resources and use any AWS services available. The Amazon IAM admin group can allow you to add or remove IAM users that require administrative privileges.

Audit

To determine if there is an IAM group that provides administrative privileges available in your AWS cloud account, perform the following actions:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account console, access IAM Group with Administrative Permissions in Useconformity rule settings, and copy the name of the IAM admin group created for your AWS cloud account.

02 Sign in to the AWS Management Console.

03 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

04 In the navigation panel, under Access management, choose User groups.

05 Paste the name of the IAM group copied at step no. 1 in the Filter user groups by property or value box and press Enter. If the search process does not return any results, there is no IAM admin group available within your AWS cloud account and the Audit process ends here. If the search process returns an IAM group as result, the Audit process continues with the next step.

06 Click on the name of the Amazon IAM group that you want to examine.

07 Select the Permissions tab and click on the name (link) of the attached IAM policy to access the policy document in JSON format. Inside the policy document box, search for the policy statement with the following combination of elements: "Effect": "Allow", "Action": "*", and "Resource": "*".

08 Repeat step no. 7 for each IAM policy attached to the IAM group. If the attached policies don't have the specified combination of elements, the selected Amazon IAM group does not provide administrative privileges, therefore there is no IAM admin group created for administration purposes within your AWS cloud account.

Using AWS CLI

01 Sign in to your Trend Cloud One™ – Conformity account console, access IAM Group with Administrative Permissions in Use conformity rule settings, and copy the name of the IAM admin group created for your AWS cloud account.

02 Run list-groups command (OSX/Linux/UNIX) using the name of the IAM group copied at the previous step as the identifier parameter and custom query filters to describe the name of the admin group (if any). Replace <admin-group-name> with the name of your IAM admin group listed in the conformity rule settings: 

aws iam list-groups
  --query "Groups[?GroupName == '<admin-group-name>'].GroupName"

03 The command request should return one of the following outputs:

  1. If the list-groups command output returns an empty array (i.e. []), as shown in the example below, there is no IAM admin group created available in your AWS account and the Audit process ends here: 
    []
  2. If the list-groups command output returns a group name, as shown in the example below, the Audit process continues with the next step: 
    [
	"cc-project5-admin-group"
]

04 Run list-attached-group-policies command (OSX/Linux/UNIX) using the name of the IAM group that you want to examine as the identifier parameter, returned at the previous step, to describe the ARNs of the policies attached to the selected group: 

aws iam list-attached-group-policies
  --group-name cc-project5-admin-group
  --query "AttachedPolicies[*].PolicyArn"

05 The command output should return the requested Amazon Resource Name (ARN): 

[
	"arn:aws:iam::123456789012:policy/cc-admin-group-access-policy",
	"arn:aws:iam::123456789012:policy/cc-custom-iam-group-policy"
]

06 Run get-policy-version command (OSX/Linux/UNIX) to describe the policy document for the identity-based policy that you want to examine, attached to your IAM group. Configure the --version-id parameter with the latest version of the selected policy: 

aws iam get-policy-version
  --policy-arn arn:aws:iam::123456789012:policy/cc-admin-group-access-policy
  --version-id v1
  --query 'PolicyVersion.Document'

07 The command output should return the requested policy document: 

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "123456789012",
			"Effect": "Allow",
			"Action": "ec2:*",
			"Resource": "*"
		}
	]
}

Search for the following combination of elements: "Effect": "Allow", "Action": "*", and "Resource": "*" within the policy document returned by the get-policy-version command output.

08 Repeat steps no. 4 – 7 for each IAM policy attached to the IAM group. If the attached policies don't have the specified combination of elements, the selected Amazon IAM group does not provide administrative privileges, therefore there is no IAM admin group created for administration purposes within your AWS cloud account.

Remediation / Resolution

To create an Amazon IAM group that provides administrative permissions to the IAM users assigned to the group, required for administration purposes, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "IAM Group with Administrative Permissions in Use",
	"Resources": {
		"IAMGroup": {
			"Type": "AWS::IAM::Group",
			"Properties": {
				"GroupName": "cc-aws-administrator-group"
			}
		},
		"IAMGroupPolicy": {
			"Type": "AWS::IAM::Policy",
			"Properties": {
				"PolicyName": "allow-full-admin-access",
				"PolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Action": "*",
							"Resource": "*"
						}
					]
				},
				"Groups": [
					{
						"Ref": "IAMGroup"
					}
				]
			}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
	Description: IAM Group with Administrative Permissions in Use
	Resources:
	IAMGroup:
		Type: AWS::IAM::Group
		Properties:
		GroupName: cc-aws-administrator-group
	IAMGroupPolicy:
		Type: AWS::IAM::Policy
		Properties:
		PolicyName: allow-full-admin-access
		PolicyDocument:
			Version: '2012-10-17'
			Statement:
			- Effect: Allow
				Action: '*'
				Resource: '*'
		Groups:
			- !Ref 'IAMGroup'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}
	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_iam_group" "iam-group" {
	name = "cc-aws-administrator-group"
}

# IAM Group with Administrative Permissions in Use
resource "aws_iam_policy" "iam-policy" {
	name   = "allow-full-admin-access"
	policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Effect": "Allow",
				"Action": "*",
				"Resource": "*"
			}
		]
	}
	EOF
}

resource "aws_iam_policy_attachment" "iam-group-attachment" {
	name       = "iam-group-policy-attachment"
	groups     = [aws_iam_group.iam-group.name]
	policy_arn = aws_iam_policy.iam-policy.arn
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Policies.

04 Choose Create policy from the console top menu to initiate the IAM policy setup process.

05 On the Create policy page, select JSON tab, and paste the following IAM policy document to the policy box: 

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": "*",
			"Resource": "*"
		}
	]
}

06 Select Next: Tags and use the Add tag button to configure tags for the new IAM policy.

07 Select Next: Review and provide a unique name and a description for the new policy in the Name and Description text fields.

08 Choose Create policy to create the IAM admin policy.

09 In the navigation panel, under Access management, choose User groups.

10 Click on the Create group button from the console top menu to initiate the IAM group setup.

11 On the Create user group setup page, perform the following operations:

  1. Enter the group name in the User group name box. The name of the new IAM group must match the name of the IAM admin group listed in the conformity rule settings.
  2. For Add users to the group – Optional, select the IAM user(s) that you want to add to your new IAM admin group.
  3. For Attach permissions policies – Optional, select the IAM admin policy created at the previous steps.
  4. Choose Create group to create your new Amazon IAM group.

Using AWS CLI

01 Define the required set of permissions that allows an IAM identity (user, group, or role) to access all AWS cloud services and resources. Save the following policy document to a JSON file named cc-iam-group-admin-policy.json: 

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "allows-full-admin-access",
			"Effect": "Allow",
			"Action": "*",
			"Resource": "*"
		}
	]
}

02 Run create-policy command (OSX/Linux/UNIX) using the policy document defined at the previous step (i.e. cc-iam-group-admin-policy.json), to create the IAM policy that provides administrative privileges for all the cloud services and resources within your AWS account: 

aws iam create-policy
  --policy-name cc-admin-group-full-access
  --policy-document file://cc-iam-group-admin-policy.json

03 The command output should return the metadata available for the new admin policy: 

{
	"Policy": {
		"PolicyName": "cc-admin-group-full-access",
		"CreateDate": "2021-04-20T18:52:45Z",
		"AttachmentCount": 0,
		"IsAttachable": true,
		"PolicyId": "ABCDABCDABCDABCDABCD",
		"DefaultVersionId": "v1",
		"Path": "/",
		"Arn": "arn:aws:iam::123456789012:policy/cc-admin-group-full-access",
		"UpdateDate": "2021-04-20T18:52:45Z"
	}
}

04 Run create-group command (OSX/Linux/UNIX) to create your Amazon IAM admin group. Replace <admin-group-name> with the name of your own IAM admin group (must match the name of the admin group listed in the conformity rule settings): 

aws iam create-group
--group-name <admin-group-name>

05 The command output should return the metadata available for the new IAM admin group: 

[
	{
		"Path": "/",
		"CreateDate": "2021-094-22T10:00:00Z",
		"GroupId": "AAAABBBBCCCCDDDDEEEEF",
		"Arn": "arn:aws:iam::123456789012:group/<admin-group-name>",
		"GroupName": "<admin-group-name>"
	}
]

06 Run attach-group-policy command (OSX/Linux/UNIX) to attach the identity-based policy created at the previous steps to your new IAM admin group (if successful, the command does not produce an output): 

aws iam attach-group-policy
  --policy-arn arn:aws:iam::123456789012:policy/cc-admin-group-full-access
  --group-name <admin-group-name>

References

Publication date Apr 1, 2018

Related IAM rules