Detections
Analytics

Ensure full administrative privileges are not created and are attached to a role using AWS IAM Role Policy

HIGH

Description

IAM policies are the means by which privileges are granted to users, groups, or roles. Therefore, assigning admin privileges let the users perform full administrative tasks. If such account tokens get into the hands of an adversary then your whole AWS account will be compromised.

Remediation

In AWS Console -

  1. Sign in to the AWS Console and open the IAM Console.
  2. Under Access Management, select Roles.
  3. Choose the role you wish to edit.
  4. Under Permissions policies, expand the policy you wish to edit using the + symbol.
  5. Select Edit and configure the policy accordingly.
  6. Select Review policy, then Save.

In Terraform -

  1. In the aws_iam_role_policy resource, update the assume_role_policy field accordingly.

References:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy

Policy Details

Rule Reference ID: AC_AWS_0147
CSP: AWS
Remediation Available: Yes
Domain: Identity and Access Management
Resource: aws_iam_role_policy
Resource Category: Identity and Access Management (IAM)
Resource Type: Policy

Frameworks