AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Users with Administrator Access
More Info:
Administrator access also brings risk with them. Try to have minimum admins in your account.
Risk Level
High
Address
Security
Compliance Standards
CISGCP,HIPAA,SCO2,NISTCSF,NIST,AWSWAF,ISO27001,HITRUST
Triage and Remediation
Remediation
To remediate the misconfiguration of having users with Administrator Access in AWS IAM, follow these steps using the AWS Management Console:
-
Sign in to the AWS Management Console using your root account credentials.
-
Open the IAM console by searching for “IAM” in the AWS services search bar and selecting “IAM - Identity and Access Management.”
-
In the left navigation pane, click on “Users.”
-
Review the list of users and identify the ones with Administrator Access. These users will have the policy “AdministratorAccess” attached to them.
-
Select the user with Administrator Access that you want to remediate by clicking on their username.
-
In the “Permissions” tab, click on the “Detach Policy” button next to the “AdministratorAccess” policy.
-
A confirmation dialog box will appear. Click on the “Detach” button to remove the policy from the user.
-
Repeat steps 5-7 for each user with Administrator Access until all users no longer have the “AdministratorAccess” policy attached.
-
To prevent future misconfigurations, it is recommended to follow the principle of least privilege and assign appropriate permissions to users based on their roles and responsibilities.
-
To do this, create custom IAM policies with specific permissions that align with each user’s requirements and attach these policies to the respective users.
-
To create a custom IAM policy, go back to the IAM console and click on “Policies” in the left navigation pane.
-
Click on the “Create policy” button.
-
Choose either the “JSON” or “Visual editor” tab to define your policy. The “Visual editor” provides a guided interface to create the policy, while the “JSON” tab allows you to write the policy in JSON format.
-
Define the permissions for the policy based on the user’s requirements. It is recommended to follow the principle of least privilege and only grant the necessary permissions.
-
Once the policy is defined, click on the “Review policy” button.
-
Provide a name and description for the policy, and then click on the “Create policy” button.
-
After creating the policy, go back to the “Users” section and select the user you want to assign the policy to.
-
In the “Permissions” tab of the user, click on the “Attach policies” button.
-
In the search bar, type the name of the policy you created and select it from the list.
-
Click on the “Attach policy” button to assign the policy to the user.
-
Repeat steps 17-20 for each user, assigning the appropriate custom policies based on their roles and responsibilities.
By following these steps, you can remediate the misconfiguration of having users with Administrator Access in AWS IAM and implement the principle of least privilege by assigning custom policies based on specific user requirements.
To remediate the misconfiguration of users having Administrator Access in AWS IAM using AWS CLI, follow these steps:
-
Identify the user(s) with Administrator Access:
-
Run the following command to list all IAM users:
aws iam list-users -
Review the output and identify the user(s) with Administrator Access.
-
-
Revoke Administrator Access from the user(s):
-
Run the following command to remove the AdministratorAccess policy from the user:
aws iam detach-user-policy --user-name <user-name> --policy-arn arn:aws:iam::aws:policy/AdministratorAccessReplace
<user-name>with the actual username of the user you want to remove Administrator Access from.
-
-
Optional: Assign appropriate permissions to the user(s):
-
If the user(s) still require access to specific resources or services, you can assign them appropriate permissions by attaching specific policies. For example, if a user needs access to EC2 instances, you can attach the
AmazonEC2FullAccesspolicy.Run the following command to attach a policy to the user:
aws iam attach-user-policy --user-name <user-name> --policy-arn <policy-arn>Replace
<user-name>with the actual username of the user, and<policy-arn>with the ARN of the policy you want to attach.
-
-
Verify the changes:
-
To confirm that the Administrator Access has been revoked, run the following command:
aws iam list-attached-user-policies --user-name <user-name>Replace
<user-name>with the actual username of the user. The command should not display theAdministratorAccesspolicy. -
Additionally, you can also verify the user’s permissions by attempting to perform actions that were previously restricted.
-
By following these steps, you will successfully remediate the misconfiguration of users having Administrator Access in AWS IAM using AWS CLI.
To remediate the misconfiguration of having users with Administrator Access in AWS IAM using Python, you can follow the steps below:
Step 1: Identify the users with Administrator Access: You can use the AWS SDK for Python (Boto3) to list all the IAM users and check their assigned policies. Filter out the users who have the “AdministratorAccess” policy attached.
import boto3
def find_admin_users():
iam_client = boto3.client('iam')
response = iam_client.list_users()
admin_users = []
for user in response['Users']:
response = iam_client.list_attached_user_policies(UserName=user['UserName'])
for policy in response['AttachedPolicies']:
if policy['PolicyName'] == 'AdministratorAccess':
admin_users.append(user['UserName'])
return admin_users
admin_users = find_admin_users()
print("Admin Users:", admin_users)
Step 2: Remove Administrator Access from the users:
For each identified user with Administrator Access, you can detach the “AdministratorAccess” policy from their IAM user using the detach_user_policy method.
import boto3
def remove_admin_access(user):
iam_client = boto3.client('iam')
response = iam_client.detach_user_policy(
UserName=user,
PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess'
)
print(f"Removed AdministratorAccess from user: {user}")
for user in admin_users:
remove_admin_access(user)
Step 3: Verify the changes: After removing the “AdministratorAccess” policy from the users, you can recheck the user policies to ensure that they no longer have Administrator Access.
import boto3
def verify_admin_users():
iam_client = boto3.client('iam')
response = iam_client.list_users()
admin_users = []
for user in response['Users']:
response = iam_client.list_attached_user_policies(UserName=user['UserName'])
for policy in response['AttachedPolicies']:
if policy['PolicyName'] == 'AdministratorAccess':
admin_users.append(user['UserName'])
return admin_users
admin_users = verify_admin_users()
if not admin_users:
print("No users with AdministratorAccess found. Remediation successful.")
else:
print("Admin Users still exist:", admin_users)
By following these steps, you can remediate the misconfiguration of having users with Administrator Access in AWS IAM using Python.