AWS IAM Policy Does Not Grant Full Administrative Privileges

This policy validates that there are no IAM policies that grant full administrative privileges to IAM users or groups.

The principle of least privilege dictates that any user should only have the relevant amount of access necessary to complete their task. Following the principle of least privilege is considered best security practice as it minimizes the damage that one user can do, either intentionally, unintentionally, or because their account was compromised. By splitting the access out into various groups/roles, and only assigning users to the groups/roles they have a reason to be a part of, this principle can be maintained. Having a user, role, or group with full administrative access defeats this principle.

Remediation

To remediate this, remove the policy/policies granting full access from any users, groups, or roles it is attached to. It may be necessary to create new policies encapsulating a smaller subset of access and apply those to roles/groups as necessary.

References

  • CIS AWS Benchmark 1.22 "Ensure IAM policies that allow full ":" administrative privileges are not created"

Last updated