IAM User Has Attached Policy With Admin Permissions

Overview

The IAM user has full administrative permissions. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.

It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.

IAM policies that have a statement with "Effect": "Allow" with "Action": "" over "Resource": "" should be removed.

Vendor

AWS

Cloud Service

IAM

CIS AWS v1.5.0 1.16, CIS3.AWS.1.16

References

https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html, https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html, https://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam

Severity

Item Types

AWS::IAM::User

Overview​

Vendor​

Cloud Service​

Related Controls​

References​

Severity​

Item Types​