Ensure that your Amazon IAM policies (inline and customer managed) do not use "Effect": "Allow" in combination with "NotAction" element in order to follow IAM security best practices and adhere to the Principle of Least Privilege (POLP). "NotAction" is an advanced policy element that explicitly matches everything except the specified list of actions. Using "NotAction" with "Effect": "Allow" can result in a shorter policy by listing only a few actions that should not match (e.g. "Statement": [{"Effect": "Allow", "NotAction": "s3:DeleteBucket", "Resource": "arn:aws:s3:::*"}]), but the inappropriately use of the combination can make the policy too permissive, leading eventually to unauthorized access.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
From the security perspective, the method of allowing everything with some exceptions is not following security best practices and in case of IAM policies does not comply with the Principle of Least Privilege (i.e. providing the minimal set of actions required to perform successfully the desired tasks).
Audit
Case A: To determine if your customer-managed IAM policies utilize "Effect": "Allow" in combination with "NotAction", perform the following actions:
Audit
Case B: To determine if your inline IAM policies utilize "Effect": "Allow" in combination with "NotAction", perform the following actions:
Remediation / Resolution
Case A: To redefine (update) your customer-managed IAM policies and remove the following combination of elements: "Effect": "Allow" with "NotAction", in order to follow IAM security best practices, perform the following actions:
Case B: To redefine your inline IAM policies and remove the following combination of elements: "Effect": "Allow" with "NotAction", in order to follow Amazon IAM security best practices, perform the following actions:
References
- AWS Documentation
- AWS IAM FAQs
- IAM Best Practices
- IAM JSON Policy Reference
- IAM JSON Policy Evaluation Logic
- IAM JSON Policy Elements: NotAction
- IAM JSON Policy Evaluation Logic
- AWS Command Line Interface (CLI) Documentation
- iam
- list-policies
- get-policy-version
- get-user-policy
- get-role-policy
- get-group-policy
- create-policy-version
- put-user-policy
- put-role-policy
- put-group-policy