AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
IAM Managed Policies Should Be Attached To IAM Role
More Info:
Check if custom role policies are present
Risk Level
Medium
Address
Security
Compliance Standards
CBP,SEBI
Triage and Remediation
How to Prevent
To prevent IAM Custom Role Policies from being present in IAM using the AWS Management Console, follow these steps:
-
Review Existing IAM Roles:
- Navigate to the IAM Dashboard in the AWS Management Console.
- Click on “Roles” in the left-hand menu.
- Review the list of existing roles and identify any custom roles that have policies attached.
-
Restrict Creation of Custom Roles:
- Go to the “Policies” section in the IAM Dashboard.
- Create or update a policy that restricts the creation of custom roles.
- Attach this policy to IAM users or groups that should not have the ability to create custom roles.
-
Enable AWS Config Rules:
- Navigate to the AWS Config service in the AWS Management Console.
- Set up AWS Config rules to monitor IAM role configurations.
- Enable rules such as “iam-role-managed-policy-check” to ensure that only managed policies are attached to roles.
-
Set Up CloudWatch Alarms:
- Go to the CloudWatch service in the AWS Management Console.
- Create a new alarm that triggers on specific IAM events, such as the creation of a custom role.
- Configure the alarm to send notifications to administrators for immediate review and action.
By following these steps, you can effectively monitor and control the presence of IAM Custom Role Policies in your AWS environment.
To prevent IAM Custom Role Policies from being present in IAM using AWS CLI, you can follow these steps:
-
List Existing IAM Roles: First, identify all the IAM roles in your AWS account to ensure you know which roles are currently configured.
aws iam list-roles -
Check for Custom Policies Attached to Roles: For each role, check if there are any custom policies attached. This will help you identify roles that might have custom policies.
aws iam list-role-policies --role-name <role-name> -
Detach Custom Policies from Roles: If you find any custom policies attached to a role, detach them to ensure that no custom policies are present.
aws iam delete-role-policy --role-name <role-name> --policy-name <policy-name> -
Enforce Use of Managed Policies: Ensure that roles only use AWS managed policies or predefined policies by attaching them to the roles.
aws iam attach-role-policy --role-name <role-name> --policy-arn <arn:aws:iam::aws:policy/<policy-name>>
By following these steps, you can prevent the presence of custom role policies in IAM using AWS CLI.
To prevent IAM Custom Role Policies from being present in IAM using Python scripts, you can follow these steps:
-
Set Up Environment and Install Required Libraries:
- Ensure you have the necessary SDKs installed for AWS, Azure, and GCP.
- For AWS, use
boto3. - For Azure, use
azure-identityandazure-mgmt-authorization. - For GCP, use
google-cloud-iam.
-
Authenticate and Initialize Clients:
- Authenticate and initialize the respective clients for AWS, Azure, and GCP.
-
Check for Existing Custom Roles:
- Write scripts to list and check for existing custom roles in each cloud environment.
-
Prevent Creation of Custom Roles:
- Implement logic to prevent the creation of custom roles by monitoring and intercepting role creation requests.
Here are the Python scripts for each cloud provider:
AWS (Using boto3)
import boto3
# Initialize IAM client
iam_client = boto3.client('iam')
# List all custom roles
def list_custom_roles():
roles = iam_client.list_roles()
custom_roles = [role for role in roles['Roles'] if 'AWS' not in role['Arn']]
return custom_roles
# Prevent creation of custom roles
def prevent_custom_roles():
custom_roles = list_custom_roles()
if custom_roles:
print("Custom roles detected. Preventing creation of new custom roles.")
# Implement logic to prevent creation of new custom roles
# This could involve setting up IAM policies or alerts
prevent_custom_roles()
Azure (Using azure-identity and azure-mgmt-authorization)
from azure.identity import DefaultAzureCredential
from azure.mgmt.authorization import AuthorizationManagementClient
# Initialize Azure client
credential = DefaultAzureCredential()
subscription_id = 'your_subscription_id'
auth_client = AuthorizationManagementClient(credential, subscription_id)
# List all custom roles
def list_custom_roles():
custom_roles = []
for role in auth_client.role_definitions.list(scope='/subscriptions/' + subscription_id):
if role.role_type == 'CustomRole':
custom_roles.append(role)
return custom_roles
# Prevent creation of custom roles
def prevent_custom_roles():
custom_roles = list_custom_roles()
if custom_roles:
print("Custom roles detected. Preventing creation of new custom roles.")
# Implement logic to prevent creation of new custom roles
# This could involve setting up policies or alerts
prevent_custom_roles()
GCP (Using google-cloud-iam)
from google.cloud import iam_v1
from google.oauth2 import service_account
# Initialize GCP IAM client
credentials = service_account.Credentials.from_service_account_file('path_to_your_service_account_key.json')
iam_client = iam_v1.IAMClient(credentials=credentials)
# List all custom roles
def list_custom_roles():
custom_roles = []
project_id = 'your_project_id'
roles = iam_client.list_roles(parent=f'projects/{project_id}')
for role in roles:
if role.stage == iam_v1.Role.Stage.CUSTOM:
custom_roles.append(role)
return custom_roles
# Prevent creation of custom roles
def prevent_custom_roles():
custom_roles = list_custom_roles()
if custom_roles:
print("Custom roles detected. Preventing creation of new custom roles.")
# Implement logic to prevent creation of new custom roles
# This could involve setting up policies or alerts
prevent_custom_roles()
Summary
- Set Up Environment and Install Required Libraries: Ensure you have the necessary SDKs installed.
- Authenticate and Initialize Clients: Authenticate and initialize the respective clients for AWS, Azure, and GCP.
- Check for Existing Custom Roles: Write scripts to list and check for existing custom roles in each cloud environment.
- Prevent Creation of Custom Roles: Implement logic to prevent the creation of custom roles by monitoring and intercepting role creation requests.
These scripts will help you monitor and prevent the creation of custom IAM roles in AWS, Azure, and GCP.