Detections
Analytics

Ensure IAM policies that allow full administrative privileges are not created and attached inline to a role

HIGH

Description

It is recommended and considered a standard security advice to grant least privileges that is, granting only the permissions required to perform a task. IAM policies are the means by which privileges are granted to users, groups, or roles. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of granting full administrative privileges.

Remediation

In AWS Console -

  1. Sign in to the AWS Console and open the IAM Console.
  2. Under Access Management, select Roles.
  3. Choose the role you wish to edit.
  4. Under Permissions policies, expand the policy you wish to edit using the + symbol.
  5. Select Edit and configure the policy accordingly.
  6. Select Review policy, then Save.

In Terraform -

  1. In the aws_iam_role resource, update the assume_role_policy field accordingly.

References:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role

Policy Details

Rule Reference ID: AC_AWS_0146
CSP: AWS
Remediation Available: Yes
Domain: Identity and Access Management
Resource: aws_iam_role
Resource Category: Identity and Access Management (IAM)
Resource Type: Policy

Frameworks