Detections
Analytics

Ensure that full access to edit IAM Policies is restricted

HIGH

Description

Limiting user access to edit AWS IAM policies will help maintain a strong security posture, reducing the risk of unauthorized access to a cloud account. By limiting access based on the principle of least privilege, a company can adhere to regulatory compliance requirements, prevent accidental exposure or destruction of data, and align with industry best practices.

Remediation

In AWS Console -

  1. Sign in to the AWS console and go to the IAM console.
  2. In the Navigation pane, select Policies.
  3. In the list of policies, select the policy to edit.
  4. Select the Permissions tab, and then choose Edit policy.
  5. On the review page, review the changes and click Save.

In Terraform -

  1. In the aws_iam_policy resource, edit the policy field so that the allowed Action list and/or Principal have appropriate values rather than a wildcard.
  2. Update the Resource ARN list to use specific IDs rather than a wildcard.
    For more information on how to effectively write an IAM policy see the AWS and Terraform documentation.

References:
https://docs.aws.amazon.com/IAM/latest/UserGuide/service_code_examples_iam.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy

Policy Details

Rule Reference ID: AC_AWS_0145
CSP: AWS
Remediation Available: Yes
Domain: Identity and Access Management
Resource: aws_iam_policy
Resource Category: Identity and Access Management (IAM)
Resource Type: Policy

Frameworks