Medium

IAM User with high privileged policies

Security & Compliance
No items found.
Description

When an IAM user is granted high privileged policies, it can lead to security risks. If an attacker manages to compromise such a user, they can perform any action allowed by those policies, leading to unauthorized access, data exfiltration, and other malicious activities. Therefore, it is essential to ensure that IAM users do not have excessive privileges granted to them.Some examples of high privileged policies that should be avoided are:AdministratorAccess or PowerUserAccessPolicies that include * in the resource or action sectionsPolicies that grant iam:* or iam:PassRole permissionsIt is recommended to grant IAM users the least privilege required to perform their intended actions. The principle of least privilege ensures that users can only perform actions necessary for their job function and nothing more. This helps reduce the attack surface and prevent unauthorized access.In addition to granting the least privilege, it is recommended to enable MFA (Multi-Factor Authentication) for IAM users and rotate their credentials regularly. It is also good practice to monitor and audit IAM activity logs to detect any suspicious activity.‍

Remediation

If an IAM user has been granted high privileged policies, it is recommended to follow the below steps to remediate the issue:

  1. Identify the IAM user(s) with high privileged policies and review their access to ensure it is appropriate and necessary.
  2. Modify or remove the policy to ensure that the IAM user has the minimum required privileges needed to perform their job function.
  3. Consider using IAM roles instead of IAM users to grant permissions as they have the advantage of automatically rotating the access keys and providing temporary security credentials.
  4. Enable AWS CloudTrail to log all user activity across all accounts and regions to detect and investigate any unauthorized activity.
  5. Consider using AWS Security Hub to get a comprehensive view of the security posture of your AWS environment and detect and remediate any security vulnerabilities.

Regular monitoring of IAM user policies and access is also essential to ensure that the IAM users have only the required access and privileges. It is also recommended to implement the principle of least privilege, which involves granting users only the minimum access required to perform their job functions.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.

Step into the Future of SecOps