Kata 1: Review AWS IAM administrators

This kata shows how to review AWS IAM administrators and verify they need it using the k9 Principal Access Summary.

Reviewing IAM administration capabilities is the first AWS access improvement step. This is because any IAM user or role who can administer the AWS Identity and Access Management (IAM) service can give themselves privileges to do anything in the account if they don’t already have it:

  • create or destroy compute & data resources
  • read, write, delete data
  • run applications and scripts

Let’s see who can administer IAM and verify they need it.

Open the latest k9 resource access audit spreadsheet from the S3 bucket containing your reports.

Go to the Principals worksheet.

  1. Enable filtering for the worksheet columns
  2. Filter the Principal is IAM Admin column to TRUE

You should now have a list of principals that looks like:

Principals Filtered to IAM Administrators

These are the IAM users and roles who can:

  • create or delete IAM users, roles, and groups
  • create, modify, attach, detach IAM policies

There are endless permutations of attacks and accidents an IAM principal with administration capabilities can execute in your AWS. Reduce risk to your AWS account by reducing the set of IAM administrators to only what is necessary.

Review Questions

Ask these questions during your review:

Q. Should this principal have IAM administration capabilities?

Automated delivery processes, operations teams, and security teams usually need an IAM principal with IAM administration capabilities. This capability often varies by environment. For example, you may allow application development teams to administer IAM in a development environment, but not production.

Q. Is this principal still in use?

It’s common to find administrator-level principals that were created for a test or an incident and then forgotten. Check the Principal Last Used column for the principal on the Principals worksheet (we’ll do a full unused IAM principal review in Kata 2).

Q. When was the last time an IAM administrator actually administered IAM?

If the principal is still in use, you can check CloudTrail API audit logs to see if they have actually used any IAM administration API actions recently. The ‘k9 Access Capability Mapping’ worksheet lists the actions each IAM capability maps to. Search your logs and see if the principal has used each of the IAM API actions mapped to administer-resource.

You can also use AWS Access Analyzer to identify when services and API actions were last used. k9 will integrate that capability into the product soon. We’re happy to help you to accomplish this with what you have right now.

Quick Fix

A quick fix to remove the IAM admin permissions is to set a permissions boundary policy on the IAM user or role. The high-level steps are to deny the permissions with either an Identity or Permissions Boundary policy:

Deny with Identity Policy

Generate a ‘Deny IAM Admin’ Identity policy document

Option 1 – Attach Managed Policy

  1. Create a managed policy in your AWS account(s) with the contents of the generated policy, named e.g. Deny-IAM-Admin
  2. Attach the managed policy to the IAM role, user, or group (details)

Option 2 – Embed Inline Policy

  1. Navigate to the IAM role, user, or group to configure
  2. Select ‘Permissions’ → ‘Add Permissions’ → ‘Create Inline Policy’
  3. Create an inline policy with the contents of the generated policy, named e.g. DenyIAMAdminPrivs

Deny with Permissions Boundary Policy

  1. Generate a ‘Deny IAM Admin’ permissions boundary policy document
  2. Create a Deny-IAM-Admin-PB managed policy in your AWS account using the policy from the previous step
  3. Set the Deny-IAM-Admin-PB managed policy as a permission boundary on the IAM role or user (details)

Summary

Once you have completed this kata, you should be able to:

  • identify IAM users and roles IAM administration capabilities and nearly full control of your AWS account
  • determine whether that IAM principal should have that level of access
  • kick off the process to remove IAM administration excess privileges with strong evidence

Contact k9 Support ([email protected]) if you have questions, feedback, or would like assistance.