Use the Conformity Knowledge Base AI to help improve your Cloud Posture

IAM Master and IAM Manager Roles (Deprecated)

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Status: Deprecated
Please note this rule has been deprecated from the Conformity system and should not be enabled. For more information on rule deprecation, see here.

The rule was originally created to support a Center for Information Security (CIS) recommendation that has since been superseded.

It is no longer considered best practice to create global ‘master’ and ‘manager’ roles using inline policies. AWS IAM principles of least privilege generally recommend a more granular approach to assigning permissions for specific purposes only. AWS best practice now places greater emphasis on managing IAM through AWS Organizations, IAM STS assume roles for console users and generally advises to avoid attaching inline policies directly to groups, roles and users.

Conformity continues to recommend a range of AWS IAM best practices and encourages organizations to follow the principle of least privilege. For Conformity’s full list of AWS IAM best practice recommendations, see AWS IAM Best Practices

Risk Level: High (act today)
Rule ID: IAM-047

Ensure that the IAM administration and permission management within your AWS cloud account is divided between two roles: IAM Master and IAM Manager. The IAM Master role duty is to create IAM users, groups, and roles, while the IAM Manager role responsibility is to assign users and roles to IAM groups.

This rule can help you with the following compliance standards:

  • CISAWSF
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Because Amazon IAM is the main point of control for service configuration access within an AWS account, the best practice is to avoid promoting only one user to have full control over IAM. The main goal of this conformity rule is to enable both IAM Master and IAM Manager to work together in a two-person rule manner to provide users and roles the access to the right set of permissions. Providing the right permissions to your IAM users and roles will significantly reduce the risk of unauthorized access to your AWS cloud environment.


Audit

To search for IAM Master and IAM Manager roles within your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Roles.

04 Click on the name of the IAM role that you want to examine.

05 Select the Permissions tab to access the identity-based policies attached to the selected IAM role.

06 In the Permissions policies section, click on the Expand button (right arrow icon) available next to each inline policy, and choose {} JSON to show the policy document in JSON format:

  1. To identify the IAM Master role, perform the following:
    • Within {} JSON section, search for the following set of actions where the "Effect" element is set to "Allow":
      • iam:AttachRolePolicy
      • iam:CreateGroup
      • iam:CreatePolicy
      • iam:CreatePolicyVersion
      • iam:CreateRole
      • iam:CreateUser
      • iam:DeleteGroup
      • iam:DeletePolicy
      • iam:DeletePolicyVersion
      • iam:DeleteRole
      • iam:DeleteRolePolicy
      • iam:DeleteUser
      • iam:PutRolePolicy
      • iam:GetPolicy
      • iam:GetPolicyVersion
      • iam:GetRole
      • iam:GetRolePolicy
      • iam:GetUser
      • iam:GetUserPolicy
      • iam:ListEntitiesForPolicy
      • iam:ListGroupPolicies
      • iam:ListGroups
      • iam:ListGroupsForUser
      • iam:ListPolicies
      • iam:ListPoliciesGrantingServiceAccess
      • iam:ListPolicyVersions
      • iam:ListRolePolicies
      • iam:ListAttachedGroupPolicies
      • iam:ListAttachedRolePolicies
      • iam:ListAttachedUserPolicies
      • iam:ListRoles
      • iam:ListUsers
    • And search for the following set of actions where the "Effect" element is set to "Deny":
      • iam:AddUserToGroup
      • iam:AttachGroupPolicy
      • iam:DeleteGroupPolicy
      • iam:DeleteUserPolicy
      • iam:DetachGroupPolicy
      • iam:DetachRolePolicy
      • iam:DetachUserPolicy
      • iam:PutGroupPolicy
      • iam:PutUserPolicy
      • iam:RemoveUserFromGroup
      • iam:UpdateGroup
      • iam:UpdateAssumeRolePolicy
      • iam:UpdateUser
  2. To identify the IAM Manager role, perform the following:
    • Within the {} JSON section, search for the following set of actions where the "Effect" element is set to "Allow":
      • iam:AddUserToGroup
      • iam:AttachGroupPolicy
      • iam:DeleteGroupPolicy
      • iam:DeleteUserPolicy
      • iam:DetachGroupPolicy
      • iam:DetachRolePolicy
      • iam:DetachUserPolicy
      • iam:PutGroupPolicy
      • iam:PutUserPolicy
      • iam:RemoveUserFromGroup
      • iam:UpdateGroup
      • iam:UpdateAssumeRolePolicy
      • iam:UpdateUser
      • iam:GetPolicy
      • iam:GetPolicyVersion
      • iam:GetRole
      • iam:GetRolePolicy
      • iam:GetUser
      • iam:GetUserPolicy
      • iam:ListEntitiesForPolicy
      • iam:ListGroupPolicies
      • iam:ListGroups
      • iam:ListGroupsForUser
      • iam:ListPolicies
      • iam:ListPoliciesGrantingServiceAccess
      • iam:ListPolicyVersions
      • iam:ListRolePolicies
      • iam:ListAttachedGroupPolicies
      • iam:ListAttachedRolePolicies
      • iam:ListAttachedUserPolicies
      • iam:ListRoles
      • iam:ListUsers
    • And search for the following set of actions where the "Effect" element is set to "Deny":
      • iam:AttachRolePolicy
      • iam:CreateGroup
      • iam:CreatePolicy
      • iam:CreatePolicyVersion
      • iam:CreateRole
      • iam:CreateUser
      • iam:DeleteGroup
      • iam:DeletePolicy
      • iam:DeletePolicyVersion
      • iam:DeleteRole
      • iam:DeleteRolePolicy
      • iam:DeleteUser
      • iam:PutRolePolicy

07 If the set of actions specified at the previous step have been identified for the selected IAM role, you need to verify the Trust Relationship policy defined for the selected role in order to determine whether the role can be assumable by at least one IAM user or one IAM group. Select the Trust relationships tab and identify the IAM entities that can assume the selected role, listed in the Trusted entities section. For compliance, make sure that no existing IAM users or groups can assume both IAM Master and IAM Manager roles.

08 If the conditions presented at steps no. 6 and 7 are not met, the selected Amazon IAM role does not qualify for the role of IAM Master or IAM Manager.

09 Repeat steps no. 4 – 8 for each IAM role available within your AWS account in order to identify the IAM Master or IAM Manager role necessary within the two-person configuration required for the compliant IAM administration and management model promoted by this conformity rule.

Using AWS CLI

01 Run list-roles command (OSX/Linux/UNIX) with custom query filters to list the names of all the IAM roles available in your AWS cloud account:

aws iam list-roles
	--output table
	--query 'Roles[*].RoleName'

02 The command output should return a table with the requested IAM role identifiers:

------------------------------------
|             ListRoles            |
+----------------------------------+
|  cc-iam-allaccess                |
|  cc-prod-manager-role            |
+----------------------------------+

03 Run list-role-policies command (OSX/Linux/UNIX) using the name of the IAM role that you want to examine as the identifier parameter and custom filtering to list the name of each inline policy configured for the selected role:

aws iam list-role-policies
  --role-name cc-iam-allaccess
  --query 'PolicyNames'

04 The command output should return the requested policy name(s):

[
  "iam-allaccess-custom-policy"
]

05 Run get-role-policy command (OSX/Linux/UNIX) to describe the policy document defined for the inline policy configured for your Amazon IAM role:

aws iam get-role-policy
	--role-name cc-iam-allaccess
	--policy-name iam-allaccess-custom-policy
	--query 'PolicyDocument'

06 The command output should return the requested policy document (JSON format):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": "*",
            "Action": "iam:*"
        }
    ]
}

07 To identify the desired role (i.e. IAM Master or IAM Manager role) by analyzing the policy returned by the get-role-policy command output at the previous step, perform the following:

  1. To identify the IAM Master role
    • Search for the following set of actions where the "Effect" element is set to "Allow":
      • iam:AttachRolePolicy
      • iam:CreateGroup
      • iam:CreatePolicy
      • iam:CreatePolicyVersion
      • iam:CreateRole
      • iam:CreateUser
      • iam:DeleteGroup
      • iam:DeletePolicy
      • iam:DeletePolicyVersion
      • iam:DeleteRole
      • iam:DeleteRolePolicy
      • iam:DeleteUser
      • iam:PutRolePolicy
      • iam:GetPolicy
      • iam:GetPolicyVersion
      • iam:GetRole
      • iam:GetRolePolicy
      • iam:GetUser
      • iam:GetUserPolicy
      • iam:ListEntitiesForPolicy
      • iam:ListGroupPolicies
      • iam:ListGroups
      • iam:ListGroupsForUser
      • iam:ListPolicies
      • iam:ListPoliciesGrantingServiceAccess
      • iam:ListPolicyVersions
      • iam:ListRolePolicies
      • iam:ListAttachedGroupPolicies
      • iam:ListAttachedRolePolicies
      • iam:ListAttachedUserPolicies
      • iam:ListRoles
      • iam:ListUsers
    • And search for the following set of actions where the "Effect" element is set to "Deny":
      • iam:AddUserToGroup
      • iam:AttachGroupPolicy
      • iam:DeleteGroupPolicy
      • iam:DeleteUserPolicy
      • iam:DetachGroupPolicy
      • iam:DetachRolePolicy
      • iam:DetachUserPolicy
      • iam:PutGroupPolicy
      • iam:PutUserPolicy
      • iam:RemoveUserFromGroup
      • iam:UpdateGroup
      • iam:UpdateAssumeRolePolicy
      • iam:UpdateUser
  2. To identify the IAM Manager role
    • Search for the following set of actions where the "Effect" element is set to "Allow":
      • iam:AddUserToGroup
      • iam:AttachGroupPolicy
      • iam:DeleteGroupPolicy
      • iam:DeleteUserPolicy
      • iam:DetachGroupPolicy
      • iam:DetachRolePolicy
      • iam:DetachUserPolicy
      • iam:PutGroupPolicy
      • iam:PutUserPolicy
      • iam:RemoveUserFromGroup
      • iam:UpdateGroup
      • iam:UpdateAssumeRolePolicy
      • iam:UpdateUser
      • iam:GetPolicy
      • iam:GetPolicyVersion
      • iam:GetRole
      • iam:GetRolePolicy
      • iam:GetUser
      • iam:GetUserPolicy
      • iam:ListEntitiesForPolicy
      • iam:ListGroupPolicies
      • iam:ListGroups
      • iam:ListGroupsForUser
      • iam:ListPolicies
      • iam:ListPoliciesGrantingServiceAccess
      • iam:ListPolicyVersions
      • iam:ListRolePolicies
      • iam:ListAttachedGroupPolicies
      • iam:ListAttachedRolePolicies
      • iam:ListAttachedUserPolicies
      • iam:ListRoles
      • iam:ListUsers
    • And search for the following set of actions where the "Effect" element is set to "Deny":
      • iam:AttachRolePolicy
      • iam:CreateGroup
      • iam:CreatePolicy
      • iam:CreatePolicyVersion
      • iam:CreateRole
      • iam:CreateUser
      • iam:DeleteGroup
      • iam:DeletePolicy
      • iam:DeletePolicyVersion
      • iam:DeleteRole
      • iam:DeleteRolePolicy
      • iam:DeleteUser
      • iam:PutRolePolicy

08 If the set of actions specified at the previous step have been identified for the selected IAM role, you need to verify the Trust Relationship policy defined for the selected role in order to determine whether the role can be assumable by at least one IAM user or one IAM group. Run get-role command (OSX/Linux/UNIX) using the name of the selected IAM role as the identifier parameter to describe the Trust Relationship policy attached to your IAM role:

aws iam get-role
	--role-name iam-allaccess
	--query 'Role.AssumeRolePolicyDocument'

09 The command output should return the Trust Relationship policy associated with the selected role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": "iam.amazonaws.com"
            }
        }
    ]
}

Check the "Principal" element value to determine which service, user, or group can assume the selected role. For compliance, make sure that no existing IAM users or IAM groups can assume both IAM Master and IAM Manager roles.

10 If the conditions presented at steps no. 5 – 9 are not met, the selected Amazon IAM role does not qualify for the role of IAM Master or IAM Manager.

11 Repeat steps no. 3 – 10 for each IAM role available in your AWS cloud account in order to identify the IAM Master or IAM Manager role necessary within the two-person configuration required for the compliant IAM administration and management model promoted by this conformity rule.

Remediation / Resolution

To create the IAM Master and IAM Manager roles necessary for an efficient IAM administration and permission management within your AWS cloud account, perform the following operations:

Note: Creating and configuring IAM Master and IAM Manager roles using AWS Management Console is not currently supported.

Using AWS CLI

01 Define the identity-based policy for both IAM Master and IAM Manager roles. To configure the required policy, perform the following actions:

  1. To create the identity-based policy for the IAM Master role, paste the following policy document to a JSON file named iam-master-policy.json:
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "iam:AttachRolePolicy",
            "iam:CreateGroup",
            "iam:CreatePolicy",
            "iam:CreatePolicyVersion",
            "iam:CreateRole",
            "iam:CreateUser",
            "iam:DeleteGroup",
            "iam:DeletePolicy",
            "iam:DeletePolicyVersion",
            "iam:DeleteRole",
            "iam:DeleteRolePolicy",
            "iam:DeleteUser",
            "iam:PutRolePolicy",
            "iam:GetPolicy",
            "iam:GetPolicyVersion",
            "iam:GetRole",
            "iam:GetRolePolicy",
            "iam:GetUser",
            "iam:GetUserPolicy",
            "iam:ListEntitiesForPolicy",
            "iam:ListGroupPolicies",
            "iam:ListGroups",
            "iam:ListGroupsForUser",
            "iam:ListPolicies",
            "iam:ListPoliciesGrantingServiceAccess",
            "iam:ListPolicyVersions",
            "iam:ListRolePolicies",
            "iam:ListAttachedGroupPolicies",
            "iam:ListAttachedRolePolicies",
            "iam:ListAttachedUserPolicies",
            "iam:ListRoles",
            "iam:ListUsers"
          ],
          "Condition": {
            "Bool": {
              "aws:MultiFactorAuthPresent": "true"
            }
          },
          "Resource": [
            "*"
          ]
        },
        {
          "Effect": "Deny",
          "Action": [
            "iam:AddUserToGroup",
            "iam:AttachGroupPolicy",
            "iam:DeleteGroupPolicy",
            "iam:DeleteUserPolicy",
            "iam:DetachGroupPolicy",
            "iam:DetachRolePolicy",
            "iam:DetachUserPolicy",
            "iam:PutGroupPolicy",
            "iam:PutUserPolicy",
            "iam:RemoveUserFromGroup",
            "iam:UpdateGroup",
            "iam:UpdateAssumeRolePolicy",
            "iam:UpdateUser"
          ],
          "Resource": [
            "*"
          ]
        }
      ]
    }
    
  2. To create the identity-based policy for the second role, i.e. IAM Manager, paste the following policy document to a JSON file named iam-manager-policy.json:
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "iam:AddUserToGroup",
            "iam:AttachGroupPolicy",
            "iam:DeleteGroupPolicy",
            "iam:DeleteUserPolicy",
            "iam:DetachGroupPolicy",
            "iam:DetachRolePolicy",
            "iam:DetachUserPolicy",
            "iam:PutGroupPolicy",
            "iam:PutUserPolicy",
            "iam:RemoveUserFromGroup",
            "iam:UpdateGroup",
            "iam:UpdateAssumeRolePolicy",
            "iam:UpdateUser",
            "iam:GetPolicy",
            "iam:GetPolicyVersion",
            "iam:GetRole",
            "iam:GetRolePolicy",
            "iam:GetUser",
            "iam:GetUserPolicy",
            "iam:ListEntitiesForPolicy",
            "iam:ListGroupPolicies",
            "iam:ListGroups",
            "iam:ListGroupsForUser",
            "iam:ListPolicies",
            "iam:ListPoliciesGrantingServiceAccess",
            "iam:ListPolicyVersions",
            "iam:ListRolePolicies",
            "iam:ListAttachedGroupPolicies",
            "iam:ListAttachedRolePolicies",
            "iam:ListAttachedUserPolicies",
            "iam:ListRoles",
            "iam:ListUsers"
          ],
          "Condition": {
            "Bool": {
              "aws:MultiFactorAuthPresent": "true"
            }
          },
          "Resource": [
            "*"
          ]
        },
        {
          "Effect": "Deny",
          "Action": [
            "iam:AttachRolePolicy",
            "iam:CreateGroup",
            "iam:CreatePolicy",
            "iam:CreatePolicyVersion",
            "iam:CreateRole",
            "iam:CreateUser",
            "iam:DeleteGroup",
            "iam:DeletePolicy",
            "iam:DeletePolicyVersion",
            "iam:DeleteRole",
            "iam:DeleteRolePolicy",
            "iam:DeleteUser",
            "iam:PutRolePolicy"
          ],
          "Resource": [
              "*"
          ]
        }
      ]
    }
    

02 Create the required Trust Relationship policy for the IAM Master and IAM Manager roles by performing the following actions:

  1. To create the Trust Relationship policy for the IAM Master role, paste the following information to a JSON document named iam-master-trust-policy.json and replace the aws_account placeholder with your AWS account ID number:
  2. {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::aws_account:root"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
    
  3. To create the Trust Relationship policy for the IAM Manager role, paste the following information to a new JSON document named iam-manager-trust-policy.json, then replace the aws_account placeholder with your AWS account ID:
  4. {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::aws_account:root"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
    

03 Run create-role command (OSX/Linux/UNIX) to create the IAM Master role using the Trust Relationship policy defined at the previous step (i.e. iam-master-trust-policy.json):

aws iam create-role
	--role-name IAM-Master-Role
	--assume-role-policy-document file://iam-master-trust-policy.json

04 The command output should return the metadata available for the new IAM Master role:

{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": "arn:aws:iam::123456789012:root"
                    }
                }
            ]
        },
        "RoleId": "ABCDABCDABCDABCDABCDA",
        "CreateDate": "2021-04-14T09:06:39.840Z",
        "RoleName": "IAM-Master-Role",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:role/IAM-Master-Role"
    }
}

05 Run put-role-policy command (OSX/Linux/UNIX) to attach the inline policy defined at step no. 1.a to the newly created IAM Master role (the command does not produce an output):

aws iam put-role-policy
	--role-name IAM-Master-Role
	--policy-name IAM-Master-Role-Policy
	--policy-document file://iam-master-policy.json

06 Run create-role command (OSX/Linux/UNIX) to create the second role, i.e. IAM Manager role, using the Trust Relationship policy defined at step no. 2 (i.e. iam-manager-trust-policy.json):

aws iam create-role
	--role-name IAM-Manager-Role
	--assume-role-policy-document file://iam-manager-trust-policy.json

07 The command output should return the metadata available for the new IAM Manager role:

{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": "arn:aws:iam::123456789012:root"
                    }
                }
            ]
        },
        "RoleId": "ABCDABCDABCDABCDABCDA",
        "CreateDate": "2021-04-14T09:34:05.840Z",
        "RoleName": "IAM-Manager-Role",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:role/IAM-Manager-Role"
    }
}

08 Run put-role-policy command (OSX/Linux/UNIX) to attach the inline policy defined at step no. 1.b to the new IAM Manager role (if successful, the command does not return an output):

aws iam put-role-policy
	--role-name IAM-Manager-Role
	--policy-name IAM-Manager-Role-Policy
	--policy-document file://iam-manager-policy.json

09 Both the IAM Master and IAM Manager roles need to be assumable by a different IAM group in order to work together in a two-person rule manner to provide other IAM users and roles the right permissions. To create the necessary IAM groups that will assume the IAM Master and the IAM Manager roles, perform the following actions:

  1. For the group that will assume the IAM Master role:
    • Run create-group command (OSX/Linux/UNIX) to create a new IAM group, assumable by the IAM Master role:
      aws iam create-group
      	--group-name IAM-Masters
      
    • The output should return the create-group command request metadata:
      {
          "Group": {
              "Path": "/",
              "CreateDate": "2021-04-14T09:56:55.626Z",
              "GroupId": "ABCDABCDABCDABCDABCDA",
              "Arn": "arn:aws:iam::123456789012:group/IAM-Masters",
              "GroupName": "IAM-Masters"
          }
      }
      
    • Define the Trust Relationship policy for the new IAM group using the Amazon resource Name (ARN) of the IAM Master role returned at step no. 4 as the value for the "Resource" policy element. Save the policy document to a JSON file named iam-master-group-trust-policy.json:
      {
      	"Version": "2012-10-17",
      	"Statement": {
      		"Effect": "Allow",
      		"Action": "sts:AssumeRole",
      		"Resource": "arn:aws:iam::123456789012:role/IAM-Master-Role"
      	}
      }
      
    • Run put-group-policy command (OSX/Linux/UNIX) to assign the Trust Relationship policy created at the previous step to the newly created IAM group, i.e. IAM-Masters group (the command does not produce an output):
      aws iam put-group-policy
      	--group-name IAM-Masters
      	--policy-name IAM-Masters-Group-Trust-Policy
      	--policy-document file://iam-master-group-trust-policy.json
      
    • Each user added to this IAM group will also assume the IAM Master role.
  2. For the group that will assume the IAM Manager role:
    • Run create-group command (OSX/Linux/UNIX) to create a new IAM group, assumable by the IAM Manager role:
      aws iam create-group
      	--group-name IAM-Managers
      
    • The output should return the create-group command request metadata:
      {
          "Group": {
              "Path": "/",
              "CreateDate": "2021-04-14T09:59:31.626Z",
              "GroupId": "ABCDABCDABCDABCDABCDA",
              "Arn": "arn:aws:iam::123456789012:group/IAM-Managers",
              "GroupName": "IAM-Managers"
          }
      }
      
    • Define the Trust Relationship policy for the new IAM group using the ARN of the IAM Manager role returned at step no. 7 as the value for the "Resource" policy element. Save the policy document to a JSON file named iam-manager-group-trust-policy.json:
      {
      	"Version": "2012-10-17",
      	"Statement": {
      		"Effect": "Allow",
      		"Action": "sts:AssumeRole",
      		"Resource": "arn:aws:iam::123456789012:role/IAM-Manager-Role"
      	}
      }
      
    • Run put-group-policy command (OSX/Linux/UNIX) to assign the Trust Relationship policy created at the previous step to the newly created IAM group, i.e. IAM-Managers group (if successful, the command does not produce an output):
      aws iam put-group-policy
      	--group-name IAM-Managers
      	--policy-name IAM-Managers-Group-Trust-Policy
      	--policy-document file://iam-manager-group-trust-policy.json
      
    • Each user added to this IAM group will also assume the IAM Manager role.

References

Publication date May 7, 2017