Permission for all resources

More Info:

Giving permissions to resource: * (all resources) should be avoided or minimized in majority of the cases.

Risk Level

Medium

Address

Security

Compliance Standards

CISGCP,HIPAA,SCO2,NISTCSF,NIST,AWSWAF,ISO27001,HITRUST,CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of granting permission for all resources in AWS IAM using AWS CLI, follow these steps:

Open the AWS CLI on your local machine or use the AWS CLI in the AWS Management Console.
Identify the user, group, or role that has been granted permission for all resources. You can use the following command to list all the policies attached to a user, group, or role:
```
aws iam list-attached-user-policies --user-name <username>
aws iam list-attached-group-policies --group-name <groupname>
aws iam list-attached-role-policies --role-name <rolename>
```
Once you have identified the policy that grants permission for all resources, note down the policy name.
Next, retrieve the policy document for the identified policy using the following command:
```
aws iam get-policy-version --policy-arn <policy-arn> --version-id <version-id>
```
Replace <policy-arn> with the ARN of the policy and <version-id> with the version ID of the policy document.
The command output will provide you with the JSON representation of the policy document. Copy the policy document to a text editor for editing.
In the policy document, locate the section where it grants permission for all resources. It might look similar to this:
```
"Resource": "*"
```
Modify the policy document to specify the specific resources for which the permission should be granted. Replace the "Resource": "*" with the appropriate resource ARNs or resource identifiers. For example:
```
"Resource": "arn:aws:s3:::example-bucket"
```
Ensure that you specify the correct ARN or identifier for the specific resource you want to grant permission to.
Save the modified policy document.
Finally, update the policy version with the modified policy document using the following command:
```
aws iam create-policy-version --policy-arn <policy-arn> --policy-document file://<path-to-modified-policy-document>
```
Replace <policy-arn> with the ARN of the policy and <path-to-modified-policy-document> with the local file path to the modified policy document.
After successfully creating the new policy version, you need to set it as the default version for the policy using the following command:
```
aws iam set-default-policy-version --policy-arn <policy-arn> --version-id <new-version-id>
```
Replace <policy-arn> with the ARN of the policy and <new-version-id> with the version ID of the newly created policy version.
Verify that the policy has been updated by listing the attached policies again:
```
aws iam list-attached-user-policies --user-name <username>
aws iam list-attached-group-policies --group-name <groupname>
aws iam list-attached-role-policies --role-name <rolename>
```
Ensure that the policy now grants permission only for the specified resources and not all resources.

By following these steps, you can remediate the misconfiguration of granting permission for all resources in AWS IAM using AWS CLI.

Using Python

To remediate the misconfiguration of granting permissions for all resources in AWS IAM, follow these steps using Python:

Install the AWS SDK for Python (Boto3) if you haven’t already:

pip install boto3

Create a Python script and import the necessary libraries:

import boto3

Initialize the AWS IAM client:

iam_client = boto3.client('iam')

Retrieve a list of all IAM roles:

response = iam_client.list_roles()
roles = response['Roles']

Iterate through each role and remove the permissions for all resources:

for role in roles:
    role_name = role['RoleName']
    
    # Retrieve the existing role policy
    response = iam_client.get_role_policy(
        RoleName=role_name,
        PolicyName='AmazonEC2FullAccess'  # Replace with the policy name that grants permissions for all resources
    )
    
    # Remove the existing role policy
    iam_client.delete_role_policy(
        RoleName=role_name,
        PolicyName='AmazonEC2FullAccess'  # Replace with the policy name that grants permissions for all resources
    )
    
    print(f"Permissions for all resources removed for role: {role_name}")

Save and run the Python script. It will iterate through all IAM roles and remove the permissions for all resources.

Note: Replace 'AmazonEC2FullAccess' with the actual policy name that grants permissions for all resources. Repeat steps 5 and 6 for each policy that needs to be removed.Make sure you have the necessary permissions to modify IAM roles and policies before running the script.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Permission for all resources

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation