Tips for reviewing AWS Identity and Access Management (IAM) policies

IAM Policies are powerful and subtle, so it’s important to study and understand the permissions that are granted by each policy. Use the following guidelines when reviewing IAM policies.

1. As a best practice, attach policies to groups instead of to individual users. If an individual user has a policy, make sure you understand why that user needs the policy.
2. Make sure that IAM users, groups, and roles have only the permissions that they need.
3. Use the IAM Policy Simulator to test policies that are attached to users or groups.
4. Remember that a user’s permissions are the result of all applicable policies — user policies, group policies, and resource-based policies (on Amazon S3 buckets, Amazon SQS queues, Amazon SNS topics, and AWS KMS keys). It’s important to examine all the policies that apply to a user and to understand the complete set of permissions granted to an individual user.
5. Be aware that allowing a user to create an IAM user, group, role, or policy and attach a policy to the principal entity is effectively granting that user all permissions to all resources in your account. That is, users who are allowed to create policies and attach them to a user, group, or role can grant themselves any permissions. In general, do not grant IAM permissions to users or roles whom you do not trust with full access to the resources in your account. The following list contains IAM permissions that you should review closely:

• iam:PutGroupPolicy
• iam:PutRolePolicy
• iam:PutUserPolicy
• iam:CreatePolicy
• iam:CreatePolicyVersion
• iam:AttachGroupPolicy
• iam:AttachRolePolicy
• iam:AttachUserPolicy

6. Make sure policies don’t grant permissions for services that you don’t use.

7. Closely examine any values for the Action or Resource element that include *. It’s a best practice to grant Allow access to only the individual actions and resources that users need. However, the following are reasons that it might be suitable to use * in a policy:

• The policy is designed to grant administrative-level privileges.
• The wildcard character is used for a set of similar actions (for example, Describe*) as a convenience, and you are comfortable with the complete list of actions that are referenced in this way.
• The wildcard character is used to indicate a class of resources or a resource path (e.g., arn:aws:iam::account-id:users/division_abc/*), and you are comfortable granting access to all of the resources in that class or path.
• A service action does not support resource-level permissions, and the only choice for a resource is *.

8. Examine policy names to make sure they reflect the policy’s function. For example, although a policy might have a name that includes “read only,” the policy might actually grant write or change permissions.

9. If the policy grants a user permission to launch an Amazon EC2 instance, it might also allow the iam:PassRole action, but if so it should explicitly list the roles that the user is allowed to pass to the Amazon EC2 instance.

You can use the PassRole permission to restrict which role a user can pass to an Amazon EC2 instance when the user launches the instance. This helps prevent the user from running applications that have more permissions than the user has been granted—that is, from being able to obtain elevated privileges. For example, imagine that user Alice has permissions only to launch Amazon EC2 instances and to work with Amazon S3 buckets, but the role she passes to an Amazon EC2 instance has permissions to work with IAM and Amazon DynamoDB. In that case, Alice might be able to launch the instance, log into it, get temporary security credentials, and then perform IAM or DynamoDB actions that she's not authorized for.

To restrict which roles a user can pass to an Amazon EC2 instance, you create a policy that allows the PassRole action. You then attach the policy to the user (or to an IAM group that the user belongs to) who will launch Amazon EC2 instances. In the Resource element of the policy, you list the role or roles that the user is allowed to pass to Amazon EC2 instances. When the user launches an instance and associates a role with it, Amazon EC2 checks whether the user is allowed to pass that role. Of course, you should also ensure that the role that the user can pass does not include more permissions than the user is supposed to have.

Thanks for taking the time to read my article🙂 If you enjoyed it and would like to see more content like this, please consider following me on Medium.