IAM policy uses the AWS AdministratorAccess policy
Description
This policy is designed to monitor for any use of the AWS AdministratorAccess policy within your infrastructure. The AdministratorAccess policy in Amazon Web Services (AWS) provides complete, unrestricted access to all resources in an AWS account. It's a built-in managed policy that attaches to an identity (user, group of users, or role) to determine what actions the identity can and cannot perform.
Granting AdministratorAccess policy is generally a bad practice for security reasons. It can lead to a variety of security risks, including misconfigurations or compromise leading to unauthorized access or data breaches. By overprovisioning permissions, it increases the potential attack surface for malicious users.
The principle of least privilege (POLP), an important computer security concept, advises that every module must be able to access only the information and resources that are necessary for its legitimate purpose. In other words, users should have the minimum levels of access necessary to complete their job functions.
It is always advisable to assign granular permissions, creating custom policies with specific access permissions rather than using AWS AdministratorAccess policy. This way, it significantly reduces the risk of accidental exposure or illicit activities.
Remediation
Terraform
- Resource: aws_iam_policy
- Arguments: name
To fix this issue, define least privilege access as per the necessity of the role or user. Instead of using the `AdministratorAccess` policy, use a more restricted managed policy or create a custom policy that only gives the permissions necessary for required tasks.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0323 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_275 |