IAM policies should not have full “*:*” administrative privileges

Description

IAM policies should start with a minimum set of permissions and include more as needed rather than starting with full administrative privileges. Providing full administrative privileges when unnecessary exposes resources to potentially unwanted actions.

Remediation Steps

AWS Console

  • Navigate to Identity and Access Management.

  • In the left navigation, select Policies.

  • Select the Policy and edit the document to define only the necessary permissions to ensure least privilege.

  • Repeat for each policy that allows for Allow and Action set to * and Resource set to *.

AWS CLI

  • List all IAM users, groups, and roles that the specified managed policy is attached to:

    • aws iam list-entities-for-policy --policy-arn <policy_arn>

  • Detach the policy from all IAM Users:

    • aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>

  • Detach the policy from all IAM Groups:

    • aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>

  • Detach the policy from all IAM Roles:

    • aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>

CloudFormation

JSON

JSON Example Configuration
{
  "ValidRole01": {
    "Type": "AWS::IAM::Role",
    "Properties": {
      "AssumeRolePolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "Service": [
                "ec2.amazonaws.com"
              ]
            },
            "Action": [
              "sts:AssumeRole"
            ]
          }
        ]
      }
    # other required fields here
    }
  },
  "ValidPolicy01": {
    "Type": "AWS::IAM::Policy",
    "Properties": {
      "Roles": [
        { "Ref":  "ValidRole01" }
      ],
      "PolicyName": "valid_policy_01",
      "PolicyDocument": {
        "Version": "2012-10-17",
        "Statement": {
          "Effect": "Allow",
          "Action": [
            "ec2:StartInstances"
          ],
          "Resource": [
            "*"
          ]
        }
      }
    # other required fields here
    }
  }
}

YAML

YAML Example Configuration
ValidRole01:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Version: '2012-10-17'
      Statement:
      - Effect: Allow
        Principal:
          Service: ['ec2.amazonaws.com']
        Action:
        - sts:AssumeRole
# other required fields here

ValidPolicy01:
  Type: AWS::IAM::Policy
  Properties:
    Roles:
    - !Ref ValidRole01
    PolicyName: valid_policy_01
    PolicyDocument:
      Version: '2012-10-17'
      Statement:
        Effect: Allow
        Action:
        - 'ec2:StartInstances'
        Resource:
        - '*'
# other required fields here

Terraform

Ensure that IAM policy definitions in aws_iam_policy resources, or inline with aws_iam_group_policy, aws_iam_role_policy, and aws_iam_user_policy resources do not have Effect set to “Allow” and Action and Resource set to * in the policy block.