Skip to main content
Version: 4.2.0

How to Find AWS IAM Policies with Full Administrative Privileges

IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant only the permissions required.

Determine what users need to do and then craft policies for them that let the users perform only those tasks instead of allowing full administrative privileges. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.

info

This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity medium.

Prerequisites

This guide assumes that you have already installed and configured Fix Inventory to collect your AWS resources.

Directions

  1. Execute the following search command in Fix Inventory Shell:

    > search is(aws_iam_policy) and policy_document.document.Statement[*].{Effect=Allow and (Action="*" and Resource="*")} and policy_attachment_count>0
    ​kind=aws_iam_policy, ..., region=fixinventory-poweruser
    ​kind=aws_iam_policy, ..., account=poweruser-team
  2. Pipe the search command into the dump command:

    > search is(aws_iam_policy) and policy_document.document.Statement[*].{Effect=Allow and (Action="*" and Resource="*")} and policy_attachment_count>0 | dump
    ​reported:
    ​ id: /aws/iam/123
    ​ name: some-name
    ​ ctime: '2022-12-05T22:53:14Z'
    ​ kind: aws_iam_policy
    ​ age: 2mo28d

    The command output will list the details of all non-compliant aws_iam_policy resources.

Remediation

  • Start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.
  • List policies to analyze if permissions are the least possible to conduct business activities.
note

Please refer to the AWS IAM documentation for details.

Further Reading