Ensure there is a customer-managed IAM policy that allows administrative privileges for all the AWS services and resources, available within your AWS account. Before running this rule by the Conformity engine, the name of the admin policy must be defined in the rule settings, on your Trend Cloud One™ – Conformity account console.
A managed IAM policy is a standalone policy that can be attached to your IAM identities (users, groups, and roles) and can't be applied to cloud resources. A customer-managed policy that provides administrator-level permissions is a policy that contains the following combination of elements: "Effect": "Allow", "Action": "*", "Resource": "*". When this admin policy is attached to an IAM user, role, or group, the IAM identity has the authorization to provision, configure, or remove any AWS resource, access data, and use any AWS service or component. A customer-managed IAM policy with administrative permissions must exist in your AWS cloud account for administration purposes.
Audit
To determine if there is a customer-managed IAM policy that allows administrative privileges available in your AWS account, perform the following actions:
Remediation / Resolution
To create a customer-managed IAM policy with administrative permissions, required for AWS cloud administration, perform the following actions:
References
- AWS Documentation
- AWS IAM FAQs
- IAM Best Practices
- Managed Policies and Inline Policies
- IAM JSON Policy Reference
- CIS Amazon Web Services Foundations
- AWS Command Line Interface (CLI) Documentation
- iam
- list-policies
- get-policy-version
- create-policy