Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Principals with Infrastructure modification capabilities” in AWS IAM using the AWS Management Console, follow these step-by-step instructions:
- Log in to the AWS Management Console (https://console.aws.amazon.com/).
- Navigate to the IAM service by searching for “IAM” in the AWS services search bar and selecting “IAM” from the results.
- In the IAM console, click on “Roles” in the left-hand menu.
- Review the list of roles and identify the roles that have infrastructure modification capabilities. These roles typically have policies attached that grant permissions to modify resources such as EC2 instances, S3 buckets, or VPC configurations.
- Click on the role that has the misconfiguration to view its details.
- In the “Permissions” tab, review the policies attached to the role. Look for policies that grant broad or excessive permissions related to infrastructure modification.
- Identify the specific actions or services that the role should not have access to modify and note them down for later reference.
- Click on the “Policy” name to view the policy document.
- In the policy document, locate the specific statements that grant the undesired infrastructure modification capabilities.
- Edit the policy document by removing or modifying the statements that grant the undesired permissions. Ensure that you only remove the necessary permissions to remediate the misconfiguration.
- After making the necessary changes, click on the “Review policy” button to validate the policy syntax and save the changes.
- Review the updated policy to ensure it aligns with the desired permissions and does not grant any unnecessary infrastructure modification capabilities.
- Repeat steps 5-12 for all roles that have the misconfiguration, ensuring that each role’s policy is appropriately modified.
- Once you have remediated all the roles, perform a thorough review to ensure that the roles now have the correct and desired permissions.
- Monitor the roles periodically to ensure that the misconfiguration does not reoccur and that any changes made align with the organization’s security and compliance requirements.
Using CLI
Using CLI
To remediate the misconfiguration “Principals with Infrastructure modification capabilities” in AWS IAM using AWS CLI, follow these steps:
- Open the AWS CLI on your local machine.
-
Run the following command to list all the IAM users in your AWS account:
- Identify the users who have infrastructure modification capabilities. These users might have IAM policies attached to them that grant them excessive permissions.
-
Run the following command to list the attached policies for a specific user (replace
<user-name>with the actual username): - Review the output and identify the policies that grant infrastructure modification capabilities. Take note of the policy names.
-
Run the following command to view the details of a specific policy (replace
<policy-arn>with the actual ARN of the policy): -
Review the policy document returned in the output. Look for statements that grant infrastructure modification capabilities, such as
ec2:*,s3:*,rds:*, etc. - Once you have identified the policies that need to be modified, create new policies with more restricted permissions. You can use the AWS Policy Generator (https://awspolicygen.s3.amazonaws.com/policygen.html) to help you create the updated policies.
-
After creating the updated policies, run the following command to attach the updated policies to the user (replace
<user-name>and<policy-arn>with the actual values): - Repeat steps 4-9 for each user with infrastructure modification capabilities, ensuring that you attach the updated policies to them.
- Finally, retest the access of the users to verify that they no longer have excessive permissions for infrastructure modification.
Using Python
Using Python
To remediate the misconfiguration “Principals with Infrastructure modification capabilities” in AWS IAM using Python, follow these steps:
-
Identify the IAM users or roles that have infrastructure modification capabilities. These capabilities include actions like
CreateStack,DeleteStack,UpdateStack,CreateBucket,DeleteBucket, etc. - Use the AWS SDK for Python (Boto3) to create a Python script that will remove the infrastructure modification capabilities from the identified principals.
-
Install the Boto3 library by running the following command:
-
Configure your AWS credentials by either setting environment variables or using the AWS CLI
aws configurecommand. -
Import the necessary libraries in your Python script:
-
Create an AWS IAM client using Boto3:
-
Retrieve a list of all IAM users and roles:
-
Iterate through the list of users and roles to identify the ones with infrastructure modification capabilities. You can use the
list_attached_user_policiesandlist_attached_role_policiesmethods to get the policies attached to each user or role: - Save the script and execute it. It will remove the infrastructure modification capabilities from the identified IAM users and roles.
- Monitor the execution and verify that the infrastructure modification capabilities have been successfully removed from the principals.