IAM Policies with Effect Allow and NotAction

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Policies.

04 Select Customer managed from the Filter policies dropdown menu to list only the customer-managed policies available in your AWS account.

05 Click on the name of the Amazon IAM policy that you want to examine.

06 Select the Permissions tab and choose {} JSON to access the selected policy document in JSON format.

07 Inside the policy document box, search for the policy statement with the following combination of elements: "Effect": "Allow" with "NotAction". If the verified policy uses "Effect": "Allow" in combination with "NotAction", the selected customer-managed policy doesn't follow the Amazon IAM security best practices, therefore the policy should be redefined (recommended).

08 Repeat steps no. 5 – 7 for each customer-managed IAM policy that you want to examine, available within your AWS account.

01 Run list-policies command (OSX/Linux/UNIX) to list the Amazon Resource Name (ARN) of each customer-managed IAM policy available in your AWS account:

aws iam list-policies
  --scope Local --query 'Policies[*].Arn'

02 The command output should return the requested ARNs:

[
	"arn:aws:iam::123456789012:policy/s3-media-mgmnt-policy",
	"arn:aws:iam::123456789012:policy/code-deploy-policy",
	"arn:aws:iam::123456789012:policy/user-credentials-policy"
]

03 Run get-policy-version command (OSX/Linux/UNIX) using the ARN of the IAM policy that you want to examine as the identifier parameter, to describe the policy document in JSON format:

aws iam get-policy-version
  --policy-arn arn:aws:iam::123456789012:policy/s3-media-mgmnt-policy
  --version-id v1
  --query 'PolicyVersion.Document'

04 The command output should return the requested IAM policy document:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "123456789012",
			"Effect": "Allow",
			"NotAction": "s3:DeleteBucket",
			"Resource": "arn:aws:s3:::*"
		}
	]
}

05 Repeat steps no. 3 and 4 for each customer-managed IAM policy that you want to examine, available in your AWS account.

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Users, Roles, or User groups.

04 Click on the name of the Amazon IAM identity that you want to examine.

05 Select the Permissions tab and choose the inline policy that you want to check. An inline policy type is set to Customer inlineor Inline policy.

06 In the Permissions policies section, click on the Expand button (right arrow icon) available next to each inline policy, and choose {} JSON to show the policy document in JSON format.

07 Within the {} JSON policy document box, search for policy statements with the following combination of elements:"Effect": "Allow" with "NotAction". If the verified policy uses "Effect": "Allow" in combination with "NotAction", the selected inline policy does not follow Amazon IAM security best practices, therefore the policy should be redefined in order to implement the Principle of Least Privilege (POLP).

08 Repeat steps no. 4 – 7 for each inline IAM policy that you want to examine, available within your AWS account.

01

1. For Amazon IAM users:
   • Run get-user-policy command (OSX/Linux/UNIX) to describe the policy document defined for the inline policy associated with the selected IAM user:
     aws iam get-user-policy
       --user-name S3Manager
       --policy-name cc-s3-manager-policy
       --query 'PolicyDocument'
     

   • The command output should return the requested policy document:
     {
     	"Version": "2012-10-17",
     	"Statement": [
     		{
     			"Sid": "123456789012",
     			"Effect": "Allow",
     			"NotAction": "s3:DeleteBucket",
     			"Resource": "arn:aws:s3:::*"
     		}
     	]
     }
     

2. For Amazon IAM roles:
   • Run get-role-policy command (OSX/Linux/UNIX) to describe the specified inline policy document embedded in the selected IAM role:
     aws iam get-role-policy
       --role-name S3MgmntRole
       --policy-name cc-s3-manager-policy
       --query 'PolicyDocument'
     

   • The command output should return the requested IAM policy document:
     {
     	"Version": "2012-10-17",
     	"Statement": [
     		{
     			"Sid": "123456789012",
     			"Effect": "Allow",
     			"NotAction": "s3:DeleteBucket",
     			"Resource": "arn:aws:s3:::*"
     		}
     	]
     }
     

3. For Amazon IAM groups:
   • Run get-group-policy command (OSX/Linux/UNIX) to describe the policy document defined for the inline policy associated with the selected IAM group:
     aws iam get-group-policy
       --group-name S3Managers
       --policy-name cc-s3-manager-policy
       --query 'PolicyDocument'
     

   • The command output should return the requested IAM policy document:
     {
     	"Version": "2012-10-17",
     	"Statement": [
     		{
     			"Sid": "123456789012",
     			"Effect": "Allow",
     			"NotAction": "s3:DeleteBucket",
     			"Resource": "arn:aws:s3:::*"
     		}
     	]
     }
     

02 Repeat step no. 1 for each inline IAM policy that you want to examine, available in your AWS account.

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"IAMGroup": {
			"Type": "AWS::IAM::Group",
			"Properties": {
				"GroupName": "cc-customer-group"
			}
		},
		"IAMGroupPolicy": {
			"Type": "AWS::IAM::Policy",
			"Properties": {
				"PolicyName": "bucket-access-policy",
				"PolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"NotAction": "s3:DeleteBucket",
							"Resource": "arn:aws:s3:::customer-bucket/*"
						},
						{
							"Effect": "Deny",
							"Action": "s3:DeleteBucket",
							"Resource": "arn:aws:s3:::customer-bucket/*"
						},
						{
							"Effect": "Allow",
							"Action": "s3:*",
							"Resource": "arn:aws:s3:::customer-bucket/*"
						}
					]
				},
				"Groups": [
					{
						"Ref": "IAMGroup"
					}
				]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	IAMGroup:
		Type: AWS::IAM::Group
		Properties:
		GroupName: cc-customer-group
	IAMGroupPolicy:
		Type: AWS::IAM::Policy
		Properties:
		PolicyName: bucket-access-policy
		PolicyDocument:
			Version: '2012-10-17'
			Statement:
			- Effect: Allow
				NotAction: s3:DeleteBucket
				Resource: arn:aws:s3:::customer-bucket/*
			- Effect: Deny
				Action: s3:DeleteBucket
				Resource: arn:aws:s3:::customer-bucket/*
			- Effect: Allow
				Action: s3:*
				Resource: arn:aws:s3:::customer-bucket/*
		Groups:
			- !Ref 'IAMGroup'

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_iam_group" "iam-group" {
	name = "cc-customer-group"
}

resource "aws_iam_policy" "iam-policy" {
	name   = "bucket-access-policy"
	policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Effect": "Allow",
				"NotAction": "s3:DeleteBucket",
				"Resource": "arn:aws:s3:::customer-bucket/*"
			},
			{
				"Effect": "Deny",
				"Action": "s3:DeleteBucket",
				"Resource": "arn:aws:s3:::customer-bucket/*"
			},
			{
				"Effect": "Allow",
				"Action": "s3:*",
				"Resource": "arn:aws:s3:::customer-bucket/*"
			}
		]
	}
	EOF
}

resource "aws_iam_policy_attachment" "iam-group-attach" {
	name       = "iam-group-attachment"
	groups     = [aws_iam_group.iam-group.name]
	policy_arn = aws_iam_policy.iam-policy.arn
}

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Policies.

04 Select Customer managed from the Filter policies dropdown menu to list only the customer-managed policies available in your AWS account.

05 Click on the name of the Amazon IAM policy that you want to redefine.

06 Select the Permissions tab and choose Edit policy to initiate the policy update process.

07 Select the JSON tab and modify the selected policy document by removing the "Effect": "Allow" and "NotAction" combination and configure the required permissions by following the Principle of Least Privilege (i.e. granting only the permissions required to perform the necessary tasks).

08 Choose Review policy to review the modified customer-managed policy before saving it.

09 Once your policy is reviewed, choose Save changes to apply the permission changes.

10 Repeat steps no. 5 – 9 to redefine other non-compliant customer-managed IAM policies, available within your AWS account.

01 Redefine (update) the selected policy document by removing the "Effect": "Allow" and "NotAction" combination and configure the required permissions by implementing the Principle of Least Privilege (POLP). Save the modified policy document to a JSON file named cc-new-customer-managed-policy.json. The following policy document example represents the redefined version of the "s3-media-mgmnt-policy" IAM policy, verified in the Audit section:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "123456789011",
			"Effect": "Deny",
			"Action": [
				"s3:DeleteBucket"
			],
			"Resource": "arn:aws:s3:::*"
		},
		{
			"Sid": "123456789012",
			"Effect": "Allow",
			"Action": "s3:*",
			"Resource": "arn:aws:s3:::*"
		}
	]
}

02 Run create-policy-version command (OSX/Linux/UNIX) using the ARN of the IAM policy that you want to redefine as the identifier parameter and the policy document modified at the previous step, to create a new policy version for the selected customer-managed policy. Use the --set-as-default parameter to set the new version as the policy's default version:

aws iam create-policy-version
  --policy-arn arn:aws:iam::123456789012:policy/s3-media-mgmnt-policy
  --policy-document file://cc-new-customer-managed-policy.json
  --set-as-default

03 The command output should return the metadata available for the new policy version:

{
	"PolicyVersion": {
		"CreateDate": "2018-02-13T18:00:26.511Z",
		"VersionId": "v2",
		"IsDefaultVersion": true
	}
}

04 Repeat steps no. 1 – 3 to redefine other non-compliant customer-managed IAM policies, available in your AWS account.

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Users, Roles, or User groups.

04 Click on the name of the Amazon IAM identity that you want to reconfigure.

05 Select the Permissions tab and choose the inline policy that you want to update. An inline policy type is set to Customer inline or Inline policy.

06 Click on the Expand button (right arrow icon) available next to the selected inline policy, and choose Edit policy to initiate the update process.

07 Select the JSON tab and modify the selected policy document by removing the "Effect": "Allow" and "NotAction" combination, and configure the required permissions by following the Principle of Least Privilege (i.e. providing only the permissions required to perform the necessary tasks).

08 Choose Review policy to review the modified inline policy.

09 Once your IAM policy is reviewed, choose Save changes to apply the permission changes.

10 Repeat steps no. 5 – 9 to redefine other non-compliant inline policies associated with the selected IAM resource.

11 Repeat steps no. 4 – 10 for each Amazon IAM identity that you want to reconfigure, available within your AWS account.

01 Redefine (update) the selected inline policy document by removing the "Effect": "Allow" and "NotAction" combination and configure the required permissions by implementing the Principle of Least Privilege (POLP). Save the modified policy document to a JSON file named cc-new-inline-policy.json. The following policy document example represents the redefined version of the "s3-media-mgmnt-policy" inline policy, verified in the Audit section:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "123456789011",
			"Effect": "Deny",
			"Action": [
				"s3:DeleteBucket"
			],
			"Resource": "arn:aws:s3:::*"
		},
		{
			"Sid": "123456789012",
			"Effect": "Allow",
			"Action": "s3:*",
			"Resource": "arn:aws:s3:::*"
		}
	]
}

02 Based on the type of the Amazon IAM resource that you want to reconfigure, perform one of the following commands:

1. For Amazon IAM users:
   - Run put-user-policy command (OSX/Linux/UNIX) to update the inline policy associated with the selected Amazon IAM user (the command does not produce an output):
   aws iam put-user-policy
     --user-name S3Manager
     --policy-name cc-s3-manager-policy
     --policy-document file://cc-new-inline-policy.json
   

2. For Amazon IAM roles:
   - Run put-role-policy command (OSX/Linux/UNIX) to update the inline policy associated with the selected IAM role (if successful, the command does not produce an output):
   aws iam put-role-policy
     --role-name S3MgmntRole
     --policy-name cc-s3-manager-policy
     --policy-document file://cc-new-inline-policy.json
   

3. For Amazon IAM groups:
   - Run put-group-policy command (OSX/Linux/UNIX) to update the inline policy associated with the selected Amazon IAM group (the command does not produce an output):
   aws iam put-group-policy
     --user-name S3Managers
     --policy-name cc-s3-manager-policy
     --policy-document file://cc-new-inline-policy.json
   

03 Repeat steps no. 1 and 2 to redefine other non-compliant inline policies associated with the selected IAM resources.

04 Repeat steps no. 1 – 3 for other Amazon IAM identities that you want to reconfigure, available in your AWS account.