Skip to main content

More Info:

Giving permissions to resource: * (all resources) should be avoided or minimized in majority of the cases.

Risk Level

Medium

Address

Security

Compliance Standards

CISGCP,HIPAA,SCO2,NISTCSF,NIST,AWSWAF,ISO27001,HITRUST,CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of granting permission for all resources in AWS IAM Deep Dive, follow these steps using the AWS Management Console:
  1. Sign in to the AWS Management Console.
  2. Open the IAM console.
  3. In the navigation pane, choose “Policies”.
  4. Search for the policy that grants permission for all resources. This policy may have a wildcard (*) in the resource section, allowing access to all resources.
  5. Select the policy by clicking on its name.
  6. In the policy summary page, click on the “Edit policy” button.
  7. Review the policy document to ensure that it is the one granting permission for all resources. Make a note of the policy document for reference.
  8. Click on the “Delete policy version” button to delete the existing policy version.
  9. Confirm the deletion by clicking on the “Delete” button.
  10. Create a new policy version by clicking on the “Create version” button.
  11. In the policy version editor, modify the policy document to restrict access to specific resources or resource types. Remove any wildcard (*) entries.
  12. Review the modified policy document to ensure that it grants permission only to the required resources.
  13. Click on the “Review policy” button to validate the policy.
  14. Review the policy summary and verify that it grants permission to the intended resources.
  15. Click on the “Save changes” button to save the new policy version.
  16. In the policy summary page, click on the “Set as default version” button to make the new policy version the default.
  17. Confirm the action by clicking on the “Yes, set as default” button.
  18. Verify that the policy is now updated and grants permission only to the specified resources.
By following these steps, you have successfully remediated the misconfiguration of granting permission for all resources in AWS IAM Deep Dive.

To remediate the misconfiguration of granting permission for all resources in AWS IAM using AWS CLI, follow these steps:
  1. Open the AWS CLI on your local machine or use the AWS CLI in the AWS Management Console.
  2. Identify the user, group, or role that has been granted permission for all resources. You can use the following command to list all the policies attached to a user, group, or role: 
    aws iam list-attached-user-policies --user-name <username>
aws iam list-attached-group-policies --group-name <groupname>
aws iam list-attached-role-policies --role-name <rolename>
  3. Once you have identified the policy that grants permission for all resources, note down the policy name.
  4. Next, retrieve the policy document for the identified policy using the following command: 
    aws iam get-policy-version --policy-arn <policy-arn> --version-id <version-id>
    Replace <policy-arn> with the ARN of the policy and <version-id> with the version ID of the policy document.
  5. The command output will provide you with the JSON representation of the policy document. Copy the policy document to a text editor for editing.
  6. In the policy document, locate the section where it grants permission for all resources. It might look similar to this: 
    "Resource": "*"
  7. Modify the policy document to specify the specific resources for which the permission should be granted. Replace the "Resource": "*" with the appropriate resource ARNs or resource identifiers. For example: 
    "Resource": "arn:aws:s3:::example-bucket"
    Ensure that you specify the correct ARN or identifier for the specific resource you want to grant permission to.
  8. Save the modified policy document.
  9. Finally, update the policy version with the modified policy document using the following command: 
    aws iam create-policy-version --policy-arn <policy-arn> --policy-document file://<path-to-modified-policy-document>
    Replace <policy-arn> with the ARN of the policy and <path-to-modified-policy-document> with the local file path to the modified policy document.
  10. After successfully creating the new policy version, you need to set it as the default version for the policy using the following command: 
    aws iam set-default-policy-version --policy-arn <policy-arn> --version-id <new-version-id>
    Replace <policy-arn> with the ARN of the policy and <new-version-id> with the version ID of the newly created policy version.
  11. Verify that the policy has been updated by listing the attached policies again: 
    aws iam list-attached-user-policies --user-name <username>
aws iam list-attached-group-policies --group-name <groupname>
aws iam list-attached-role-policies --role-name <rolename>
    Ensure that the policy now grants permission only for the specified resources and not all resources.
By following these steps, you can remediate the misconfiguration of granting permission for all resources in AWS IAM using AWS CLI.
To remediate the misconfiguration of granting permissions for all resources in AWS IAM, follow these steps using Python:
  1. Install the AWS SDK for Python (Boto3) if you haven’t already:
pip install boto3
  1. Create a Python script and import the necessary libraries:
import boto3
  1. Initialize the AWS IAM client:
iam_client = boto3.client('iam')
  1. Retrieve a list of all IAM roles:
response = iam_client.list_roles()
roles = response['Roles']
  1. Iterate through each role and remove the permissions for all resources:
for role in roles:
    role_name = role['RoleName']
    
    # Retrieve the existing role policy
    response = iam_client.get_role_policy(
        RoleName=role_name,
        PolicyName='AmazonEC2FullAccess'  # Replace with the policy name that grants permissions for all resources
    )
    
    # Remove the existing role policy
    iam_client.delete_role_policy(
        RoleName=role_name,
        PolicyName='AmazonEC2FullAccess'  # Replace with the policy name that grants permissions for all resources
    )
    
    print(f"Permissions for all resources removed for role: {role_name}")
  1. Save and run the Python script. It will iterate through all IAM roles and remove the permissions for all resources.
Note: Replace 'AmazonEC2FullAccess' with the actual policy name that grants permissions for all resources. Repeat steps 5 and 6 for each policy that needs to be removed.Make sure you have the necessary permissions to modify IAM roles and policies before running the script.