AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Policies with NotAction in the Statements
More Info:
Policies with NotAction in Statements.
Risk Level
Low
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration of policies with NotAction in the statements in AWS IAM, follow these steps using the AWS Management Console:
- Sign in to the AWS Management Console.
- Open the IAM console.
- In the navigation pane, click on “Policies”.
- Search for the policy that contains the “NotAction” statement.
- Select the policy by clicking on its name.
- In the policy summary page, click on the “Edit policy” button.
- In the policy editor, locate the statement with the “NotAction” condition that needs to be remediated.
- Remove the “NotAction” condition from the statement.
- Review the remaining conditions and ensure they are correct and aligned with your intended permissions.
- Click on the “Review policy” button to validate the changes.
- Review the policy summary page to verify that there are no errors or warnings.
- Click on the “Save changes” button to apply the remediation.
Once the policy is saved, the misconfiguration of having “NotAction” in the statements will be resolved. It is recommended to thoroughly review the policy to ensure that the desired permissions are correctly defined and that the policy aligns with your security requirements.
To remediate the misconfiguration of policies with NotAction in the statements in AWS IAM using AWS CLI, follow these steps:
-
Identify the policies that contain NotAction in their statements. You can use the AWS CLI command
list-policiesto list all the policies in your AWS account.aws iam list-policiesNote down the ARN or name of the policies that have NotAction in their statements.
-
Retrieve the policy document for each identified policy using the AWS CLI command
get-policy-version. Replace<policy-arn>with the ARN of the policy you want to retrieve.aws iam get-policy-version --policy-arn <policy-arn> --version-id v1Note down the
Documentfield value from the command output, as it contains the policy document. -
Edit the policy document to remove the NotAction statement. You can use a text editor or a JSON editor to modify the policy document. Remove the
NotActionfield from each statement that contains it.For example, if the policy document looks like this:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "NotAction": "s3:GetObject", "Resource": "arn:aws:s3:::example-bucket/*" } ] }Modify it to remove the
NotActionfield:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::example-bucket/*" } ] } -
Once you have edited the policy document, save the changes.
-
Update the policy with the modified policy document using the AWS CLI command
create-policy-version. Replace<policy-arn>with the ARN of the policy you want to update, and<modified-policy-document>with the path to the modified policy document JSON file.aws iam create-policy-version --policy-arn <policy-arn> --policy-document file://<modified-policy-document> --set-as-defaultThis command creates a new version of the policy with the modified policy document and sets it as the default version.
-
Verify that the policy has been updated by checking the policy version using the AWS CLI command
get-policy-version. Replace<policy-arn>with the ARN of the policy you updated.aws iam get-policy-version --policy-arn <policy-arn> --version-id v2Ensure that the
Documentfield in the output matches the modified policy document. -
Repeat steps 3-6 for each policy identified in step 1 that contains NotAction in its statements.
By following these steps, you can remediate the misconfiguration of policies with NotAction in the statements in AWS IAM using AWS CLI.
To remediate the issue of policies with NotAction in the statements in AWS IAM using Python, follow these steps:
-
Install the required dependencies:
- Install the AWS SDK for Python (Boto3) using the command:
pip install boto3
- Install the AWS SDK for Python (Boto3) using the command:
-
Configure your AWS credentials:
- Open the AWS Management Console and go to the IAM service.
- Create an IAM user with the necessary permissions to modify IAM policies.
- Generate an access key and secret access key for the IAM user.
- Configure your AWS credentials by running the command:
aws configureand provide the access key, secret access key, and region.
-
Write a Python script to remediate the misconfigured policies. Below is an example script:
import boto3
def remediate_policies():
# Create an IAM client
iam_client = boto3.client('iam')
# List all the policies in IAM
response = iam_client.list_policies()
# Iterate through each policy
for policy in response['Policies']:
# Get the policy details
policy_arn = policy['Arn']
policy_version = iam_client.get_policy(PolicyArn=policy_arn)['Policy']['DefaultVersionId']
policy_document = iam_client.get_policy_version(PolicyArn=policy_arn, VersionId=policy_version)['PolicyVersion']['Document']
# Check if the policy contains a NotAction statement
if 'NotAction' in policy_document['Statement']:
# Remove the NotAction statement from the policy
policy_document['Statement'].pop('NotAction')
# Update the policy with the modified document
iam_client.create_policy_version(
PolicyArn=policy_arn,
PolicyDocument=policy_document,
SetAsDefault=True
)
print(f"Policy {policy_arn} has been remediated.")
remediate_policies()
- Run the Python script:
- Save the script in a file, for example,
remediate_policies.py. - Open a terminal or command prompt and navigate to the directory containing the script.
- Run the command:
python remediate_policies.py.
- Save the script in a file, for example,
The script will iterate through all the policies in your AWS account and remove the NotAction statement from any policies that contain it. The modified policies will be updated with the new version, replacing the old version.