- Home
- »
- AWS Documentation
- »
- IAM
- »
- Ensure excessive permissions are not granted for IAM roles
Excessive permissions are granted for IAM roles
Description
When creating and managing IAM policies in AWS, it is critical to adhere to the Principle of Least Privilege (POLP). This security best practice dictates that only the minimal set of permissions necessary for performing a given task should be granted. Implementing POLP requires that developers clearly define the actions needed by users and roles, and subsequently craft IAM policy documents that strictly permit only those specific actions.
To ensure that IAM entities are granted only the necessary privileges, Prowler performs the following steps:
- Aggregates data from AWS Access Advisor, including insights on the last accessed actions for services specified in the policy.
- Compares the permissions granted at the service level with the actual permissions utilized by each user, role, group, or policy over the past 90 days. This comparison helps identify and remove unused or unnecessary permissions.
For example, if a role is associated with a policy that includes permissions not being utilized by the role, Prowler will recommend revoking those redundant permissions, thereby reducing the attack surface.
When selecting an insight and reviewing an IAM entity, Prowler provides a color-coded, symbolized list of permissions, visually highlighting how the entity’s permissions would change if the recommended actions were applied. This allows users to quickly understand the impact of policy adjustments.
Fix - Runtime
AWS Console
- Log in to the AWS Management Console at https://console.aws.amazon.com/.
- Open the Amazon IAM console.
- In the navigation pane, choose Roles.
- In the list of roles in your account, choose the name of the role that you want to modify.
- Choose the Trust relationships tab, and then choose Edit Trust Relationship.
- Edit the trust policy as needed. To add additional principals that can assume the role, specify them in the Principal element. For example, the following policy snippet shows how to reference two AWS accounts in the Principal element:
CLI Command
To detach a managed policy from a role identity use one of the following commands:aws iam detach-role-policy
Fix - Buildtime
Terraform
- Resource:aws_iam_role
- Argument: assume_role_policy – (Required) The policy that grants an entity permission to assume the role.
resource "aws_iam_role" "test_role" {
name = "test_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
CloudFormation
- Resource: AWS::IAM::Role
- Argument: Policies – Adds or updates an inline policy document that is embedded in the specified IAM role.
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument: Json
Description: String
ManagedPolicyArns:
- String
MaxSessionDuration: Integer
Path: String
PermissionsBoundary: String
Policies:
- Policy
RoleName: String
Tags:
- Tag