Customer-Managed Policy with Administrative Permissions in Use

Risk Level: Medium (should be achieved)

Ensure there is a customer-managed IAM policy that allows administrative privileges for all the AWS services and resources, available within your AWS account. Before running this rule by the Conformity engine, the name of the admin policy must be defined in the rule settings, on your Trend Micro Cloud One™ – Conformity account console.

Security

A managed IAM policy is a standalone policy that can be attached to your IAM identities (users, groups, and roles) and can't be applied to cloud resources. A customer-managed policy that provides administrator-level permissions is a policy that contains the following combination of elements: "Effect": "Allow", "Action": "*", "Resource": "*". When this admin policy is attached to an IAM user, role, or group, the IAM identity has the authorization to provision, configure, or remove any AWS resource, access data, and use any AWS service or component. A customer-managed IAM policy with administrative permissions must exist in your AWS cloud account for administration purposes.

Audit

To determine if there is a customer-managed IAM policy that allows administrative privileges available in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to your Trend Micro Cloud One™ – Conformity account console, access Customer-Managed Policy with Administrative Permissions in Use conformity rule settings, and copy the name of the IAM admin policy defined for your AWS cloud account.

02 Sign in to the AWS Management Console.

03 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

04 In the navigation panel, under Access management, choose Policies.

05 Select Customer managed from the Filter policies dropdown menu to list only the customer-managed policies available in your AWS account.

06 Paste the name of the managed policy copied at step no. 1 in the Search box and press Enter. If the search process does not return any results, there is no IAM admin policy available within your AWS cloud account and the Audit process ends here. If the search process returns a customer-managed IAM policy as result, the Audit process continues with the next step.

07 Click on the name (link) of the IAM policy that you want to examine.

08 Select Permissions tab and choose {} JSON to access the selected policy document in JSON format.

09 Inside the policy document box, search for the policy statement with the following combination of elements:"Effect": "Allow", "Action": "*", and "Resource": "*". If the verified customer-managed policy does not have the specified combination of elements, the selected Amazon IAM policy does not provide administrative privileges, therefore there is no IAM admin policy created for administration purposes within your AWS cloud account.

Using AWS CLI

02 Run list-policies command (OSX/Linux/UNIX) using the name of the customer-managed policy copied at the previous step as the identifier parameter and custom query filters to list the Amazon Resource Name (ARN) of the admin policy (if any). Replace <admin-policy-name> with the name of your IAM admin policy listed in the conformity rule settings:

aws iam list-policies
  --query "Policies[?PolicyName == '<admin-policy-name>'].Arn"

03 The command request should return one of the following outputs:

If the list-policies command output returns an empty array (i.e. []), as shown in the example below, there is no IAM admin policy created available in your AWS account and the Audit process ends here.
```
[]
```
If the list-policies command output returns a policy ARN, as shown in the example below, the Audit process continues with the next step:
```
[
	"arn:aws:iam::123456789012:policy/<admin-policy-name>"
]
```

04 Run get-policy-version command (OSX/Linux/UNIX) using the ARN of the customer-managed IAM policy that you want to examine as the identifier parameter, returned at the previous step, to describe the policy document in JSON format. Configure the --version-id parameter with the latest version of the selected policy:

aws iam get-policy-version
  --policy-arn arn:aws:iam::123456789012:policy/<admin-policy-name>
  --version-id v1
  --query 'PolicyVersion.Document'

05 The command output should return the requested policy document:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "123456789012",
			"Effect": "Allow",
			"Action": "ec2:*",
			"Resource": "*"
		}
	]
}

Search for the following combination of elements:"Effect": "Allow", "Action": "*", and "Resource": "*"within the policy document returned by the get-policy-version command output. If the verified customer-managed IAM policy does not contain the specified combination of elements, the Amazon IAM policy does not provide administrative privileges, therefore the selected IAM policy is not compliant.

Remediation / Resolution

To create a customer-managed IAM policy with administrative permissions, required for AWS cloud administration, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Customer-Managed Policy with Administrative Permissions in Use",
	"Resources": {
		"IAMManagedPolicy": {
			"Type": "AWS::IAM::Policy",
			"Properties": {
				"PolicyName": "cc-allow-full-admin-access",
				"PolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Action": "*",
							"Resource": "*"
						}
					]
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Customer-Managed Policy with Administrative Permissions in Use
	Resources:
	IAMManagedPolicy:
		Type: AWS::IAM::Policy
		Properties:
		PolicyName: cc-allow-full-admin-access
		PolicyDocument:
			Version: '2012-10-17'
			Statement:
			- Effect: Allow
				Action: '*'
				Resource: '*'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}
	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

# Customer-Managed Policy with Administrative Permissions in Use
resource "aws_iam_policy" "iam-managed-policy" {
	name   = "cc-allow-full-admin-access"
	policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Effect": "Allow",
				"Action": "*",
				"Resource": "*"
			}
		]
	}
	EOF
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Policies.

04 Choose Create policy from the console top menu to initiate the IAM policy setup process.

05 On the Create policy page, select JSON tab, and paste the following IAM policy document to the policy box:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": "*",
			"Resource": "*"
		}
	]
}

06 Select Next: Tags and use the Add tag button to configure tags for the new IAM policy.

07 Select Next: Review and provide a unique name and a description for the new policy in the Name and Description text fields. The name of the new policy must match the name of the IAM admin policy listed in the conformity rule settings.

08 Choose Create policy to create your new IAM admin policy.

Using AWS CLI

01 Define the required set of permissions that allows an IAM identity (user, group, or role) to access all AWS cloud services and resources. Save the following policy document to a JSON file named cc-iam-admin-policy.json:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "allows-full-admin-access",
			"Effect": "Allow",
			"Action": "*",
			"Resource": "*"
		}
	]
}

02 Run create-policy command (OSX/Linux/UNIX) using the policy document defined at the previous step (i.e. cc-iam-admin-policy.json), to create the customer-managed IAM policy that provides administrative privileges for all the cloud services and resources within your AWS account. Replace <admin-policy-name> with your own admin policy name (must match the name of the IAM admin policy listed in the conformity rule settings):

aws iam create-policy
  --policy-name <admin-policy-name>
  --policy-document file://cc-iam-admin-policy.json

03 The command output should return the metadata available for the new IAM admin policy:

{
	"Policy": {
		"PolicyName": "<admin-policy-name>",
		"CreateDate": "2021-04-20T18:52:45Z",
		"AttachmentCount": 0,
		"IsAttachable": true,
		"PolicyId": "ABCDABCDABCDABCDABCD",
		"DefaultVersionId": "v1",
		"Path": "/",
		"Arn": "arn:aws:iam::123456789012:policy/<admin-policy-name>",
		"UpdateDate": "2021-04-20T18:52:45Z"
	}
}

References

AWS Command Line Interface (CLI) Documentation
iam
list-policies
get-policy-version
create-policy

Publication date Apr 12, 2018

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Customer-Managed Policy with Administrative Permissions in Use

Risk Level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related IAM rules