AWS AdministratorAccess policy is used by IAM roles, users, or groups
Description
This policy is checking for any IAM roles, users, and groups that are using the AWS AdministratorAccess policy. This is a security best-practice policy to avoid granting excessive permissions to users, roles, or groups. The AWS AdministratorAccess policy provides full access to all AWS resources, which could lead to misuse or abuse either knowingly or unknowlingly. In certain cases, it could increase the risk of data breaches or security compromises. Therefore, it's advised to have granular control over user permissions and grant only the necessary rights to fulfill tasks, adhering to the principle of least privilege.
Remediation
Terraform
- Resource: "aws_iam_role", "aws_iam_policy_attachment", "aws_iam_role_policy_attachment" "aws_iam_user_policy_attachment", "aws_iam_group_policy_attachment", "aws_ssoadmin_managed_policy_attachment"
- Arguments: managed_policy_arns, policy_arn, managed_policy_arn
To fix this issue, provide specific, least privilege IAM policies to your IAM roles, users, and groups instead of using the `AdministratorAccess` policy. You can do this by defining an IAM policy and attaching it to the necessary resources.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0322 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_274 |