Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of having users with Administrator Access in AWS IAM, follow these steps using the AWS Management Console:
- Sign in to the AWS Management Console using your root account credentials.
- Open the IAM console by searching for “IAM” in the AWS services search bar and selecting “IAM - Identity and Access Management.”
- In the left navigation pane, click on “Users.”
- Review the list of users and identify the ones with Administrator Access. These users will have the policy “AdministratorAccess” attached to them.
- Select the user with Administrator Access that you want to remediate by clicking on their username.
- In the “Permissions” tab, click on the “Detach Policy” button next to the “AdministratorAccess” policy.
- A confirmation dialog box will appear. Click on the “Detach” button to remove the policy from the user.
- Repeat steps 5-7 for each user with Administrator Access until all users no longer have the “AdministratorAccess” policy attached.
- To prevent future misconfigurations, it is recommended to follow the principle of least privilege and assign appropriate permissions to users based on their roles and responsibilities.
- To do this, create custom IAM policies with specific permissions that align with each user’s requirements and attach these policies to the respective users.
- To create a custom IAM policy, go back to the IAM console and click on “Policies” in the left navigation pane.
- Click on the “Create policy” button.
- Choose either the “JSON” or “Visual editor” tab to define your policy. The “Visual editor” provides a guided interface to create the policy, while the “JSON” tab allows you to write the policy in JSON format.
- Define the permissions for the policy based on the user’s requirements. It is recommended to follow the principle of least privilege and only grant the necessary permissions.
- Once the policy is defined, click on the “Review policy” button.
- Provide a name and description for the policy, and then click on the “Create policy” button.
- After creating the policy, go back to the “Users” section and select the user you want to assign the policy to.
- In the “Permissions” tab of the user, click on the “Attach policies” button.
- In the search bar, type the name of the policy you created and select it from the list.
- Click on the “Attach policy” button to assign the policy to the user.
- Repeat steps 17-20 for each user, assigning the appropriate custom policies based on their roles and responsibilities.
Using CLI
Using CLI
To remediate the misconfiguration of users having Administrator Access in AWS IAM using AWS CLI, follow these steps:
-
Identify the user(s) with Administrator Access:
-
Run the following command to list all IAM users:
- Review the output and identify the user(s) with Administrator Access.
-
Run the following command to list all IAM users:
-
Revoke Administrator Access from the user(s):
-
Run the following command to remove the AdministratorAccess policy from the user:
Replace
<user-name>with the actual username of the user you want to remove Administrator Access from.
-
Run the following command to remove the AdministratorAccess policy from the user:
-
Optional: Assign appropriate permissions to the user(s):
-
If the user(s) still require access to specific resources or services, you can assign them appropriate permissions by attaching specific policies. For example, if a user needs access to EC2 instances, you can attach the
AmazonEC2FullAccesspolicy. Run the following command to attach a policy to the user:Replace<user-name>with the actual username of the user, and<policy-arn>with the ARN of the policy you want to attach.
-
If the user(s) still require access to specific resources or services, you can assign them appropriate permissions by attaching specific policies. For example, if a user needs access to EC2 instances, you can attach the
-
Verify the changes:
-
To confirm that the Administrator Access has been revoked, run the following command:
Replace
<user-name>with the actual username of the user. The command should not display theAdministratorAccesspolicy. - Additionally, you can also verify the user’s permissions by attempting to perform actions that were previously restricted.
-
To confirm that the Administrator Access has been revoked, run the following command:
Using Python
Using Python
To remediate the misconfiguration of having users with Administrator Access in AWS IAM using Python, you can follow the steps below:Step 1: Identify the users with Administrator Access:
You can use the AWS SDK for Python (Boto3) to list all the IAM users and check their assigned policies. Filter out the users who have the “AdministratorAccess” policy attached.Step 2: Remove Administrator Access from the users:
For each identified user with Administrator Access, you can detach the “AdministratorAccess” policy from their IAM user using the Step 3: Verify the changes:
After removing the “AdministratorAccess” policy from the users, you can recheck the user policies to ensure that they no longer have Administrator Access.By following these steps, you can remediate the misconfiguration of having users with Administrator Access in AWS IAM using Python.
detach_user_policy method.