AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Principals with Infrastructure modification capabilities
More Info:
Minimize or restrict principals which can modify infrastructure.
Risk Level
High
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration “Principals with Infrastructure modification capabilities” in AWS IAM using the AWS Management Console, follow these step-by-step instructions:
- Log in to the AWS Management Console (https://console.aws.amazon.com/).
- Navigate to the IAM service by searching for “IAM” in the AWS services search bar and selecting “IAM” from the results.
- In the IAM console, click on “Roles” in the left-hand menu.
- Review the list of roles and identify the roles that have infrastructure modification capabilities. These roles typically have policies attached that grant permissions to modify resources such as EC2 instances, S3 buckets, or VPC configurations.
- Click on the role that has the misconfiguration to view its details.
- In the “Permissions” tab, review the policies attached to the role. Look for policies that grant broad or excessive permissions related to infrastructure modification.
- Identify the specific actions or services that the role should not have access to modify and note them down for later reference.
- Click on the “Policy” name to view the policy document.
- In the policy document, locate the specific statements that grant the undesired infrastructure modification capabilities.
- Edit the policy document by removing or modifying the statements that grant the undesired permissions. Ensure that you only remove the necessary permissions to remediate the misconfiguration.
- After making the necessary changes, click on the “Review policy” button to validate the policy syntax and save the changes.
- Review the updated policy to ensure it aligns with the desired permissions and does not grant any unnecessary infrastructure modification capabilities.
- Repeat steps 5-12 for all roles that have the misconfiguration, ensuring that each role’s policy is appropriately modified.
- Once you have remediated all the roles, perform a thorough review to ensure that the roles now have the correct and desired permissions.
- Monitor the roles periodically to ensure that the misconfiguration does not reoccur and that any changes made align with the organization’s security and compliance requirements.
By following these steps, you can effectively remediate the misconfiguration “Principals with Infrastructure modification capabilities” in AWS IAM using the AWS Management Console.
To remediate the misconfiguration “Principals with Infrastructure modification capabilities” in AWS IAM using AWS CLI, follow these steps:
-
Open the AWS CLI on your local machine.
-
Run the following command to list all the IAM users in your AWS account:
aws iam list-users -
Identify the users who have infrastructure modification capabilities. These users might have IAM policies attached to them that grant them excessive permissions.
-
Run the following command to list the attached policies for a specific user (replace
<user-name>with the actual username):aws iam list-attached-user-policies --user-name <user-name> -
Review the output and identify the policies that grant infrastructure modification capabilities. Take note of the policy names.
-
Run the following command to view the details of a specific policy (replace
<policy-arn>with the actual ARN of the policy):aws iam get-policy --policy-arn <policy-arn> -
Review the policy document returned in the output. Look for statements that grant infrastructure modification capabilities, such as
ec2:*,s3:*,rds:*, etc. -
Once you have identified the policies that need to be modified, create new policies with more restricted permissions. You can use the AWS Policy Generator (https://awspolicygen.s3.amazonaws.com/policygen.html) to help you create the updated policies.
-
After creating the updated policies, run the following command to attach the updated policies to the user (replace
<user-name>and<policy-arn>with the actual values):aws iam attach-user-policy --user-name <user-name> --policy-arn <policy-arn> -
Repeat steps 4-9 for each user with infrastructure modification capabilities, ensuring that you attach the updated policies to them.
-
Finally, retest the access of the users to verify that they no longer have excessive permissions for infrastructure modification.
By following these steps, you can remediate the misconfiguration “Principals with Infrastructure modification capabilities” for AWS IAM using AWS CLI.
To remediate the misconfiguration “Principals with Infrastructure modification capabilities” in AWS IAM using Python, follow these steps:
-
Identify the IAM users or roles that have infrastructure modification capabilities. These capabilities include actions like
CreateStack,DeleteStack,UpdateStack,CreateBucket,DeleteBucket, etc. -
Use the AWS SDK for Python (Boto3) to create a Python script that will remove the infrastructure modification capabilities from the identified principals.
-
Install the Boto3 library by running the following command:
pip install boto3 -
Configure your AWS credentials by either setting environment variables or using the AWS CLI
aws configurecommand. -
Import the necessary libraries in your Python script:
import boto3 -
Create an AWS IAM client using Boto3:
iam_client = boto3.client('iam') -
Retrieve a list of all IAM users and roles:
response = iam_client.list_users() users = response['Users'] response = iam_client.list_roles() roles = response['Roles'] -
Iterate through the list of users and roles to identify the ones with infrastructure modification capabilities. You can use the
list_attached_user_policiesandlist_attached_role_policiesmethods to get the policies attached to each user or role:for user in users: response = iam_client.list_attached_user_policies(UserName=user['UserName']) attached_policies = response['AttachedPolicies'] # Check if any of the attached policies contain infrastructure modification capabilities # If found, remove the policy from the user using the detach_user_policy method for role in roles: response = iam_client.list_attached_role_policies(RoleName=role['RoleName']) attached_policies = response['AttachedPolicies'] # Check if any of the attached policies contain infrastructure modification capabilities # If found, remove the policy from the role using the detach_role_policy method -
Save the script and execute it. It will remove the infrastructure modification capabilities from the identified IAM users and roles.
-
Monitor the execution and verify that the infrastructure modification capabilities have been successfully removed from the principals.
Note: This is a general approach to remediate the misconfiguration. Make sure to customize the script based on your specific requirements and ensure that you have the necessary permissions to modify IAM policies.