Drata validates that AWS IAM policies that allow broad access patterns or wild-card permissions (e.g., '*') are not used.
IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.
It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.
ASSOCIATED DRATA CONTROL
This test is part of the Principle of Least Privilege control (DCF-776) that ensures your company assigns permissions through groups or roles based on the principle of least privilege and limits the use of wild-card permissions or broad-access patterns.
WHAT TO DO IF A TEST FAILS
If Drata finds that there are AWS IAM policies that allow broad access patterns or wild-card permissions, the test will fail. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.
STEPS TO REMEDIATE
Sign in to the AWS Management Console and open the IAM Console.
In the navigation pane, click 'Policies' and then search for the names of failing policies.
Before deleting the failing policies, detach all users, groups, and roles from each failing policy.
Delete each newly detached policy.
Center for Internet Security (CIS)
This test aligns with the Center for Internet Security’s (CIS) foundation benchmarks which provides prescriptive guidance for establishing a secure baseline configuration for Amazon Web Services. To learn more, refer to the Center for Internet Security (CIS) section.