Event Information

  • The CreatePolicy event in AWS for IAM refers to the action of creating a new policy in the Identity and Access Management (IAM) service.
  • This event is triggered when a user or an automated process creates a new policy document that defines permissions and access controls for AWS resources.
  • The CreatePolicy event is important for auditing and compliance purposes as it allows organizations to track and monitor the creation of policies, ensuring that the appropriate security measures are in place.

Examples

  • Inadequate permissions: If the policy created with CreatePolicy in AWS for IAM grants excessive permissions to users or roles, it can lead to security risks. For example, if a policy allows unrestricted access to sensitive resources or actions, it can result in unauthorized access or data breaches.

  • Misconfigured policies: If the policy created with CreatePolicy in AWS for IAM is misconfigured, it can introduce security vulnerabilities. For instance, if the policy includes incorrect resource identifiers or allows unintended actions, it can lead to unauthorized access or unintended privilege escalation.

  • Lack of least privilege: If the policy created with CreatePolicy in AWS for IAM does not follow the principle of least privilege, it can impact security. For example, if the policy grants broad permissions instead of only the necessary ones, it increases the attack surface and potential impact of compromised credentials.

Remediation

Using Console

  1. Example 1: Unused IAM User
  • Step 1: Log in to the AWS Management Console.
  • Step 2: Go to the IAM service.
  • Step 3: Click on “Users” in the left navigation pane.
  • Step 4: Identify the unused IAM user from the list.
  • Step 5: Select the unused IAM user.
  • Step 6: Click on the “Delete User” button.
  • Step 7: Confirm the deletion by clicking on “Yes, Delete”.
  1. Example 2: Overprivileged IAM User
  • Step 1: Log in to the AWS Management Console.
  • Step 2: Go to the IAM service.
  • Step 3: Click on “Users” in the left navigation pane.
  • Step 4: Identify the overprivileged IAM user from the list.
  • Step 5: Select the overprivileged IAM user.
  • Step 6: Click on the “Permissions” tab.
  • Step 7: Review the attached policies and remove any unnecessary or excessive permissions.
  • Step 8: Click on “Attach Policies” to add more restrictive policies if needed.
  1. Example 3: IAM User with Inactive MFA
  • Step 1: Log in to the AWS Management Console.
  • Step 2: Go to the IAM service.
  • Step 3: Click on “Users” in the left navigation pane.
  • Step 4: Identify the IAM user with inactive MFA from the list.
  • Step 5: Select the IAM user.
  • Step 6: Click on the “Security credentials” tab.
  • Step 7: Under “Assigned MFA device”, click on “Manage”.
  • Step 8: Follow the instructions to activate MFA for the user, either by virtual MFA device or hardware MFA device.

Using CLI

  1. Ensure IAM users have strong passwords:

    • Use the update-login-profile command to enforce a strong password policy for IAM users: 
      aws iam update-login-profile --user-name <user-name> --password <new-password> --password-reset-required

  2. Enable multi-factor authentication (MFA) for IAM users:

    • Use the enable-mfa-device command to enable MFA for IAM users: 
      aws iam enable-mfa-device --user-name <user-name> --serial-number <mfa-serial-number> --authentication-code1 <code1> --authentication-code2 <code2>

  3. Regularly rotate access keys for IAM users:

    • Use the create-access-key command to generate a new access key for an IAM user: 
      aws iam create-access-key --user-name <user-name>
    • Use the delete-access-key command to delete the old access key: 
      aws iam delete-access-key --user-name <user-name> --access-key-id <access-key-id>

Using Python

  1. Ensure IAM users have strong passwords:
    • Use the boto3 library in Python to retrieve a list of IAM users.
    • For each user, check if their password is strong by validating it against a set of password complexity rules.
    • If a user’s password is weak, use the update_login_profile method to force a password reset for that user.
import boto3
import re

def check_password_complexity(password):
    # Implement your password complexity rules here
    # Example: Password must be at least 8 characters long and contain at least one uppercase letter, one lowercase letter, and one digit
    if len(password) < 8 or not re.search(r'[A-Z]', password) or not re.search(r'[a-z]', password) or not re.search(r'\d', password):
        return False
    return True

def remediate_weak_passwords():
    iam_client = boto3.client('iam')
    users = iam_client.list_users()['Users']
    
    for user in users:
        login_profile = iam_client.get_login_profile(UserName=user['UserName'])
        if 'LoginProfile' in login_profile:
            password = login_profile['LoginProfile'].get('Password')
            if password and not check_password_complexity(password):
                iam_client.update_login_profile(UserName=user['UserName'], PasswordResetRequired=True)

remediate_weak_passwords()
  1. Enable multi-factor authentication (MFA) for IAM users:
    • Use the boto3 library in Python to retrieve a list of IAM users.
    • For each user, check if MFA is enabled by calling the list_mfa_devices method.
    • If MFA is not enabled, use the enable_mfa method to enable it for the user.
import boto3

def remediate_missing_mfa():
    iam_client = boto3.client('iam')
    users = iam_client.list_users()['Users']
    
    for user in users:
        mfa_devices = iam_client.list_mfa_devices(UserName=user['UserName'])['MFADevices']
        if not mfa_devices:
            iam_client.enable_mfa(UserName=user['UserName'])

remediate_missing_mfa()
  1. Remove unused IAM access keys:
    • Use the boto3 library in Python to retrieve a list of IAM users.
    • For each user, check if they have any access keys by calling the list_access_keys method.
    • If the user has unused access keys (not used in the last 90 days), use the delete_access_key method to remove them.
import boto3
from datetime import datetime, timedelta

def remediate_unused_access_keys():
    iam_client = boto3.client('iam')
    users = iam_client.list_users()['Users']
    cutoff_date = datetime.now() - timedelta(days=90)
    
    for user in users:
        access_keys = iam_client.list_access_keys(UserName=user['UserName'])['AccessKeyMetadata']
        for access_key in access_keys:
            last_used = access_key.get('LastUsedDate')
            if last_used and last_used < cutoff_date:
                iam_client.delete_access_key(UserName=user['UserName'], AccessKeyId=access_key['AccessKeyId'])

remediate_unused_access_keys()