Use the Conformity Knowledge Base AI to help improve your Cloud Posture

IAM Policies with Effect Allow and NotAction

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: IAM-061

Ensure that your Amazon IAM policies (inline and customer managed) do not use "Effect": "Allow" in combination with "NotAction" element in order to follow IAM security best practices and adhere to the Principle of Least Privilege (POLP). "NotAction" is an advanced policy element that explicitly matches everything except the specified list of actions. Using "NotAction" with "Effect": "Allow" can result in a shorter policy by listing only a few actions that should not match (e.g. "Statement": [{"Effect": "Allow", "NotAction": "s3:DeleteBucket", "Resource": "arn:aws:s3:::*"}]), but the inappropriately use of the combination can make the policy too permissive, leading eventually to unauthorized access.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

From the security perspective, the method of allowing everything with some exceptions is not following security best practices and in case of IAM policies does not comply with the Principle of Least Privilege (i.e. providing the minimal set of actions required to perform successfully the desired tasks).


Audit

Case A: To determine if your customer-managed IAM policies utilize "Effect": "Allow" in combination with "NotAction", perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Policies.

04 Select Customer managed from the Filter policies dropdown menu to list only the customer-managed policies available in your AWS account.

05 Click on the name of the Amazon IAM policy that you want to examine.

06 Select the Permissions tab and choose {} JSON to access the selected policy document in JSON format.

07 Inside the policy document box, search for the policy statement with the following combination of elements: "Effect": "Allow" with "NotAction". If the verified policy uses "Effect": "Allow" in combination with "NotAction", the selected customer-managed policy doesn't follow the Amazon IAM security best practices, therefore the policy should be redefined (recommended).

08 Repeat steps no. 5 – 7 for each customer-managed IAM policy that you want to examine, available within your AWS account.

Using AWS CLI

01 Run list-policies command (OSX/Linux/UNIX) to list the Amazon Resource Name (ARN) of each customer-managed IAM policy available in your AWS account:

aws iam list-policies
  --scope Local --query 'Policies[*].Arn'

02 The command output should return the requested ARNs:

[
	"arn:aws:iam::123456789012:policy/s3-media-mgmnt-policy",
	"arn:aws:iam::123456789012:policy/code-deploy-policy",
	"arn:aws:iam::123456789012:policy/user-credentials-policy"
]

03 Run get-policy-version command (OSX/Linux/UNIX) using the ARN of the IAM policy that you want to examine as the identifier parameter, to describe the policy document in JSON format:

aws iam get-policy-version
  --policy-arn arn:aws:iam::123456789012:policy/s3-media-mgmnt-policy
  --version-id v1
  --query 'PolicyVersion.Document'

04 The command output should return the requested IAM policy document:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "123456789012",
			"Effect": "Allow",
			"NotAction": "s3:DeleteBucket",
			"Resource": "arn:aws:s3:::*"
		}
	]
}

Search for the following combination of elements:"Effect": "Allow" with "NotAction". If the verified policy utilizes "Effect": "Allow" in combination with "NotAction", the selected customer-managed policy doesn't follow the Amazon IAM security best practices, therefore the policy should be redefined.

05 Repeat steps no. 3 and 4 for each customer-managed IAM policy that you want to examine, available in your AWS account.

Audit

Case B: To determine if your inline IAM policies utilize "Effect": "Allow" in combination with "NotAction", perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Users, Roles, or User groups.

04 Click on the name of the Amazon IAM identity that you want to examine.

05 Select the Permissions tab and choose the inline policy that you want to check. An inline policy type is set to Customer inlineor Inline policy.

06 In the Permissions policies section, click on the Expand button (right arrow icon) available next to each inline policy, and choose {} JSON to show the policy document in JSON format.

07 Within the {} JSON policy document box, search for policy statements with the following combination of elements:"Effect": "Allow" with "NotAction". If the verified policy uses "Effect": "Allow" in combination with "NotAction", the selected inline policy does not follow Amazon IAM security best practices, therefore the policy should be redefined in order to implement the Principle of Least Privilege (POLP).

08 Repeat steps no. 4 – 7 for each inline IAM policy that you want to examine, available within your AWS account.

Using AWS CLI

01

  1. For Amazon IAM users:
    • Run get-user-policy command (OSX/Linux/UNIX) to describe the policy document defined for the inline policy associated with the selected IAM user:
      aws iam get-user-policy
        --user-name S3Manager
        --policy-name cc-s3-manager-policy
        --query 'PolicyDocument'
      
    • The command output should return the requested policy document:
      {
      	"Version": "2012-10-17",
      	"Statement": [
      		{
      			"Sid": "123456789012",
      			"Effect": "Allow",
      			"NotAction": "s3:DeleteBucket",
      			"Resource": "arn:aws:s3:::*"
      		}
      	]
      }
      
  2. For Amazon IAM roles:
    • Run get-role-policy command (OSX/Linux/UNIX) to describe the specified inline policy document embedded in the selected IAM role:
      aws iam get-role-policy
        --role-name S3MgmntRole
        --policy-name cc-s3-manager-policy
        --query 'PolicyDocument'
      
    • The command output should return the requested IAM policy document:
      {
      	"Version": "2012-10-17",
      	"Statement": [
      		{
      			"Sid": "123456789012",
      			"Effect": "Allow",
      			"NotAction": "s3:DeleteBucket",
      			"Resource": "arn:aws:s3:::*"
      		}
      	]
      }
      
  3. For Amazon IAM groups:
    • Run get-group-policy command (OSX/Linux/UNIX) to describe the policy document defined for the inline policy associated with the selected IAM group:
      aws iam get-group-policy
        --group-name S3Managers
        --policy-name cc-s3-manager-policy
        --query 'PolicyDocument'
      
    • The command output should return the requested IAM policy document:
      {
      	"Version": "2012-10-17",
      	"Statement": [
      		{
      			"Sid": "123456789012",
      			"Effect": "Allow",
      			"NotAction": "s3:DeleteBucket",
      			"Resource": "arn:aws:s3:::*"
      		}
      	]
      }
      

Search for the following combination of elements:"Effect": "Allow" with "NotAction" within the policy document returned by the get-user-policy/get-role-policy/get-group-policy command output. If the verified policy utilizes "Effect": "Allow" in combination with "NotAction", the selected inline policy does not follow Amazon IAM security best practices, therefore the policy should be redefined in order to implement the Principle of Least Privilege.

02 Repeat step no. 1 for each inline IAM policy that you want to examine, available in your AWS account.

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"IAMGroup": {
			"Type": "AWS::IAM::Group",
			"Properties": {
				"GroupName": "cc-customer-group"
			}
		},
		"IAMGroupPolicy": {
			"Type": "AWS::IAM::Policy",
			"Properties": {
				"PolicyName": "bucket-access-policy",
				"PolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"NotAction": "s3:DeleteBucket",
							"Resource": "arn:aws:s3:::customer-bucket/*"
						},
						{
							"Effect": "Deny",
							"Action": "s3:DeleteBucket",
							"Resource": "arn:aws:s3:::customer-bucket/*"
						},
						{
							"Effect": "Allow",
							"Action": "s3:*",
							"Resource": "arn:aws:s3:::customer-bucket/*"
						}
					]
				},
				"Groups": [
					{
						"Ref": "IAMGroup"
					}
				]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	IAMGroup:
		Type: AWS::IAM::Group
		Properties:
		GroupName: cc-customer-group
	IAMGroupPolicy:
		Type: AWS::IAM::Policy
		Properties:
		PolicyName: bucket-access-policy
		PolicyDocument:
			Version: '2012-10-17'
			Statement:
			- Effect: Allow
				NotAction: s3:DeleteBucket
				Resource: arn:aws:s3:::customer-bucket/*
			- Effect: Deny
				Action: s3:DeleteBucket
				Resource: arn:aws:s3:::customer-bucket/*
			- Effect: Allow
				Action: s3:*
				Resource: arn:aws:s3:::customer-bucket/*
		Groups:
			- !Ref 'IAMGroup'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_iam_group" "iam-group" {
	name = "cc-customer-group"
}

resource "aws_iam_policy" "iam-policy" {
	name   = "bucket-access-policy"
	policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Effect": "Allow",
				"NotAction": "s3:DeleteBucket",
				"Resource": "arn:aws:s3:::customer-bucket/*"
			},
			{
				"Effect": "Deny",
				"Action": "s3:DeleteBucket",
				"Resource": "arn:aws:s3:::customer-bucket/*"
			},
			{
				"Effect": "Allow",
				"Action": "s3:*",
				"Resource": "arn:aws:s3:::customer-bucket/*"
			}
		]
	}
	EOF
}

resource "aws_iam_policy_attachment" "iam-group-attach" {
	name       = "iam-group-attachment"
	groups     = [aws_iam_group.iam-group.name]
	policy_arn = aws_iam_policy.iam-policy.arn
}

Remediation / Resolution

Case A: To redefine (update) your customer-managed IAM policies and remove the following combination of elements: "Effect": "Allow" with "NotAction", in order to follow IAM security best practices, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Policies.

04 Select Customer managed from the Filter policies dropdown menu to list only the customer-managed policies available in your AWS account.

05 Click on the name of the Amazon IAM policy that you want to redefine.

06 Select the Permissions tab and choose Edit policy to initiate the policy update process.

07 Select the JSON tab and modify the selected policy document by removing the "Effect": "Allow" and "NotAction" combination and configure the required permissions by following the Principle of Least Privilege (i.e. granting only the permissions required to perform the necessary tasks).

08 Choose Review policy to review the modified customer-managed policy before saving it.

09 Once your policy is reviewed, choose Save changes to apply the permission changes.

10 Repeat steps no. 5 – 9 to redefine other non-compliant customer-managed IAM policies, available within your AWS account.

Using AWS CLI

01 Redefine (update) the selected policy document by removing the "Effect": "Allow" and "NotAction" combination and configure the required permissions by implementing the Principle of Least Privilege (POLP). Save the modified policy document to a JSON file named cc-new-customer-managed-policy.json. The following policy document example represents the redefined version of the "s3-media-mgmnt-policy" IAM policy, verified in the Audit section:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "123456789011",
			"Effect": "Deny",
			"Action": [
				"s3:DeleteBucket"
			],
			"Resource": "arn:aws:s3:::*"
		},
		{
			"Sid": "123456789012",
			"Effect": "Allow",
			"Action": "s3:*",
			"Resource": "arn:aws:s3:::*"
		}
	]
}

02 Run create-policy-version command (OSX/Linux/UNIX) using the ARN of the IAM policy that you want to redefine as the identifier parameter and the policy document modified at the previous step, to create a new policy version for the selected customer-managed policy. Use the --set-as-default parameter to set the new version as the policy's default version:

aws iam create-policy-version
  --policy-arn arn:aws:iam::123456789012:policy/s3-media-mgmnt-policy
  --policy-document file://cc-new-customer-managed-policy.json
  --set-as-default

03 The command output should return the metadata available for the new policy version:

{
	"PolicyVersion": {
		"CreateDate": "2018-02-13T18:00:26.511Z",
		"VersionId": "v2",
		"IsDefaultVersion": true
	}
}

04 Repeat steps no. 1 – 3 to redefine other non-compliant customer-managed IAM policies, available in your AWS account.

Case B: To redefine your inline IAM policies and remove the following combination of elements: "Effect": "Allow" with "NotAction", in order to follow Amazon IAM security best practices, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Users, Roles, or User groups.

04 Click on the name of the Amazon IAM identity that you want to reconfigure.

05 Select the Permissions tab and choose the inline policy that you want to update. An inline policy type is set to Customer inline or Inline policy.

06 Click on the Expand button (right arrow icon) available next to the selected inline policy, and choose Edit policy to initiate the update process.

07 Select the JSON tab and modify the selected policy document by removing the "Effect": "Allow" and "NotAction" combination, and configure the required permissions by following the Principle of Least Privilege (i.e. providing only the permissions required to perform the necessary tasks).

08 Choose Review policy to review the modified inline policy.

09 Once your IAM policy is reviewed, choose Save changes to apply the permission changes.

10 Repeat steps no. 5 – 9 to redefine other non-compliant inline policies associated with the selected IAM resource.

11 Repeat steps no. 4 – 10 for each Amazon IAM identity that you want to reconfigure, available within your AWS account.

Using AWS CLI

01 Redefine (update) the selected inline policy document by removing the "Effect": "Allow" and "NotAction" combination and configure the required permissions by implementing the Principle of Least Privilege (POLP). Save the modified policy document to a JSON file named cc-new-inline-policy.json. The following policy document example represents the redefined version of the "s3-media-mgmnt-policy" inline policy, verified in the Audit section:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "123456789011",
			"Effect": "Deny",
			"Action": [
				"s3:DeleteBucket"
			],
			"Resource": "arn:aws:s3:::*"
		},
		{
			"Sid": "123456789012",
			"Effect": "Allow",
			"Action": "s3:*",
			"Resource": "arn:aws:s3:::*"
		}
	]
}

02 Based on the type of the Amazon IAM resource that you want to reconfigure, perform one of the following commands:

  1. For Amazon IAM users:
    - Run put-user-policy command (OSX/Linux/UNIX) to update the inline policy associated with the selected Amazon IAM user (the command does not produce an output):
    aws iam put-user-policy
      --user-name S3Manager
      --policy-name cc-s3-manager-policy
      --policy-document file://cc-new-inline-policy.json
    
  2. For Amazon IAM roles:
    - Run put-role-policy command (OSX/Linux/UNIX) to update the inline policy associated with the selected IAM role (if successful, the command does not produce an output):
    aws iam put-role-policy
      --role-name S3MgmntRole
      --policy-name cc-s3-manager-policy
      --policy-document file://cc-new-inline-policy.json
    
  3. For Amazon IAM groups:
    - Run put-group-policy command (OSX/Linux/UNIX) to update the inline policy associated with the selected Amazon IAM group (the command does not produce an output):
    aws iam put-group-policy
      --user-name S3Managers
      --policy-name cc-s3-manager-policy
      --policy-document file://cc-new-inline-policy.json
    

03 Repeat steps no. 1 and 2 to redefine other non-compliant inline policies associated with the selected IAM resources.

04 Repeat steps no. 1 – 3 for other Amazon IAM identities that you want to reconfigure, available in your AWS account.

References

Publication date Feb 13, 2018