This kata shows how to review AWS IAM administrators and verify they need it using the k9 Principal Access Summary.
Reviewing IAM administration capabilities is the first AWS access improvement step. This is because any IAM user or role who can administer the AWS Identity and Access Management (IAM) service can give themselves privileges to do anything in the account if they don’t already have it:
- create or destroy compute & data resources
- read, write, delete data
- run applications and scripts
Let’s see who can administer IAM and verify they need it.
Open the latest k9 resource access audit spreadsheet from the S3 bucket containing your reports.
Go to the Principals worksheet.
- Enable filtering for the worksheet columns
- Filter the Principal is IAM Admin column to
You should now have a list of principals that looks like:
These are the IAM users and roles who can:
- create or delete IAM users, roles, and groups
- create, modify, attach, detach IAM policies
There are endless permutations of attacks and accidents an IAM principal with administration capabilities can execute in your AWS. Reduce risk to your AWS account by reducing the set of IAM administrators to only what is necessary.
Ask these questions during your review:
Q. Should this principal have IAM administration capabilities?
Automated delivery processes, operations teams, and security teams usually need an IAM principal with IAM administration capabilities. This capability often varies by environment. For example, you may allow application development teams to administer IAM in a development environment, but not production.
Q. Is this principal still in use?
It’s common to find administrator-level principals that were created for a test or an incident and then forgotten. Check the Principal Last Used column for the principal on the Principals worksheet (we’ll do a full unused IAM principal review in Kata 2).
Q. When was the last time an IAM administrator actually administered IAM?
If the principal is still in use, you can check CloudTrail API audit logs to see if they have actually used any IAM administration API actions recently. The ‘k9 Access Capability Mapping’ worksheet lists the actions each IAM capability maps to. Search your logs and see if the principal has used each of the IAM API actions mapped to
You can also use AWS Access Analyzer to identify when services and API actions were last used. k9 will integrate that capability into the product soon. We’re happy to help you to accomplish this with what you have right now.
A quick fix to remove the IAM admin permissions is to set a permissions boundary policy on the IAM user or role. The high-level steps are to:
- Generate a ‘Deny IAM Admin’ permissions boundary policy document
- Create a
Deny-IAM-Admin-PBmanaged policy in your AWS account using the policy from the previous step
- Set the
Deny-IAM-Admin-PBmanaged policy as a permission boundary on the IAM role or user (details)
Once you have completed this kata, you should be able to:
- identify IAM users and roles IAM administration capabilities and nearly full control of your AWS account
- determine whether that IAM principal should have that level of access
- kick off the process to remove IAM administration excess privileges with strong evidence
Contact k9 Support ([email protected]) if you have questions, feedback, or would like assistance.