IAM Policies With Full Administrative Privileges and MFA questions

Question

Hello.

I have a question about IAM Policies With Full Administrative Privileges.

Some CSPM (Cloud Secure Posture Management) and AWS Security Hub have a control "IAM policies should not allow full "*" administrative privileges". This control checks whether the default version of IAM policies  has administrator access by including a statement with "Effect": "Allow" with "Action": "*" over "Resource": "*". The control fails if you have IAM policies with such a statement.

Usually, we have a cloud admin team, so we create an IAM group for this team with AWS Managed Policy "AdministratorAccess" attached, or we create a role with AdministratorAccess" attached.
But, in this way CSPM and AWS Security Hub mark as failed this control.

My questions are:

1. If we have a cloud team that needs access to all aws resources for creation, deletion, modification actions, which policy or permission should be assigned in order to accomplish this control "IAM policies should not allow full "*" administrative privileges"?
2. Could we create a role with AdministratorAccess policy, an IAM group with assume permissions in the same account?, so when IAM users enter to AWS Console, first they should assume role / switch role in the same account to have admin access?
3. Is there any way for MFA enforcement for all users/groups? if so, all access keys will ask for MFA in aws cli?, but if my iam user is used for service/application, how could I avoid MFA or work with MFA in aws cli?

Thank you.

qinyang.wang · Answer

Hello,

I would like to know whether you have done this or are planning to do so:

> Usually, we have a cloud admin team, so we create an IAM group for this team with AWS Managed Policy "AdministratorAccess" attached, or we create a role with AdministratorAccess" attached. But, in this way CSPM and AWS Security Hub mark as failed this control.

Because I saw in ”[[IAM.1] IAM policies should not allow full "*" administrative privileges](https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html#iam-1)“ that **The control only checks the customer managed policies that you create. It does not check inline and AWS managed policies.**

So I think "create an IAM group for this team with AWS Managed Policy "AdministratorAccess" attached, or we create a role with AdministratorAccess" attached. " can solve your first and second questions

About the "**Is there any way for MFA enforcement for all users/groups?** ", I don't think there is a way to do this from what I know so far, the current [official tutorial](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html) is to create a policy and then associate it to a user group to restrict it, you can try to separate the user group used for the application from the rest of the user group.

Didier Durand · Answer

Hi,

To your questions:
1. Based on your requests, you should have very strict naming conventions of your AWS resources. You can then relate those resources to your different teams and grant those teams only fully access to resources that match the right naming pattern corresponding to the auths of the team
2. Yes, you can switch role when login with the console. See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html It is a best practice to avoid assigning credentials to IAM user and force them to switch role when logging in with the console.
3. Yes, you can enforce the existence of MFA at console sign-in: https://docs.aws.amazon.com/singlesignon/latest/userguide/how-to-configure-mfa-device-enforcement.html You can also enforce its use from CLI: see https://repost.aws/knowledge-center/mfa-iam-user-aws-cli and https://repost.aws/knowledge-center/authenticate-mfa-cli

Best,

Didier

IAM Policies With Full Administrative Privileges and MFA questions

Add your answer

Relevant content