Defining Resources in IAM Policies

Restricting Full Administrative Access
IAM policies drive the architecture within your AWS environment. The scope of these policies needs to be appropriately restricted, especially when it comes to administrative access. Following the industry standard of least privilege, recommendation 1.22 of the CIS AWS Foundations Benchmark states that IAM policies that allow full administrative privileges should not be created. Specifically, IAM policies that have a statement with "Effect": "Allow" with "Action": "*" over "Resource": "*" should be removed.

For more information, visit the AWS example policies for administering IAM resources

Identity and Access Management within AWS is a complex topic. When creating policies, users should ensure that policies are not created that have unrestricted access to all resources. When policies are created, users should ensure that each policy has a defined resource attached to the policy. By ensuring that each policy has a defined resource, users have implemented good logical access control in ensuring that least privilege is defined with the accessing of resources.

Related Videos