IAM policies should not have full “*:*” administrative privileges

Description

IAM policies should start with a minimum set of permissions and include more as needed rather than starting with full administrative privileges. Providing full administrative privileges when unnecessary exposes resources to potentially unwanted actions.

Console Remediation Steps

  • Navigate to Identity and Access Management.

  • In the left navigation, select Policies.

  • Select the Policy and edit the document to define only the necessary permissions to ensure least privilege.

  • Repeat for each policy that allows for Allow and Action set to * and Resource set to *.

CLI Remediation Steps

  • List all IAM users, groups, and roles that the specified managed policy is attached to:

    • aws iam list-entities-for-policy --policy-arn <policy_arn>

  • Detach the policy from all IAM Users:

    • aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>

  • Detach the policy from all IAM Groups:

    • aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>

  • Detach the policy from all IAM Roles:

    • aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>