How to Find Administrative Privileges in IAM Policies
Permissions Boundaries for IAM Policies
IAM policies drive the architecture within your AWS environment. The scope of these policies needs to be appropriately restricted, with permissions boundaries in place for users. Specifically, you must not create an excessive amount of policies with full administrative privileges. In this demo, AWS expert Mike Wise look at an IAM policy and show you how to identify policies that have “allow all” administrative privileges.
- From the AWS Management Console, navigate to the IAM Dashboard, then click on the Policies section.
- When presented with a list of existing policies, click on the AdminstratorAccess policy.
- Next, you’re on a Summary page for the AdminstratorAccess policy. Under the Permissions tab, let’s look at the JSON file.
- You will see data that stipulates a policy that allows all actions on all resources – “Action”:“*” and “Resource”:“*” - which is appropriate here since this is the AdminstratorAccess policy.
For a visual guide on how to find administrative privileges in IAM policies, watch the full demo.
We’re first going to need to log in to the AWS Management Console. Then, we’re going to do a quick search for “IAM.” This will take us to the IAM Management Console. From here, we’re going to look at the policies that are created. This screen allows you to see all of the policies that have been created within your environment. Now, one of the important things to note is that there are pre-defined policies that are created by AWS that you can use, and then there are self-generated policies that you can create and also use within AWS.
We’re going to look at the “Administrative Access” policies so you can see what a policy that is going to have full administrative privileges is going to look like. While this is generating, let’s look at the JSON file. As you can see, we have a policy that allows all actions on all resources. The first * means all actions and the second * means on all resources. This policy basically says that whoever has this policy attached can view basically any action or any resource in your AWS environment. It’s important that when you’re creating policies that you’re cognizant what the policy is being created for and you’re not allowing over-privileged access to your environment. If you want to allow access to only an S3 bucket, you need to make sure you’re specifying that that S3 bucket is the only access that you’re going to allow. Make sure that you’re not using the star to just allow all access so that user will have over-privileges that are not intended.