AWS IAM is Identity & Access Management service that enables a user to control access to its AWS resources. Certain practices related to IAM policy privileges should be followed so that your cloud infrastructure does not get exposed to various security attacks.
What are administrative privileges in AWS IAM policy?
AWS provisions the use of IAM policies which further allows you to grant only task-related permissions to different users across your cloud infrastructure depending upon the type of tasks assigned to them. IAM policies can be assigned to different entities such as users, groups or roles. Administrative privileges given in IAM policies means that the user assigned to the policy can perform any activity in the entire cloud infrastructure and has unrestricted access to the AWS resources.
Restricting admin privileges to just any user:
It is recommended that you should not grant administrative privileges in any IAM policy to just any user. Therefore, policies should be made and only a certain set of permissions that are required to complete the given task should be assigned to the users.
Centilytics has a dedicated insight which checks and gives warnings to the user whenever an AWS IAM policy with administrative privilege is detected.
Insight Description:
There can be 2 possible scenarios:
| Severity | Description |
 OK |
This indication will be displayed when the customer managed policy does not have administrative privileges attached to it. |
 CRITICAL |
This indication will be displayed when the customer managed policy has administrative privileges attached to it. |
Description of further columns are as follows:
- Account Id: This column shows the respective account ID of the user’s account.
- Account Name: This column shows the account name of the user’s account.
- Identifier: This column shows the unique ARN (Amazon Resource Number) of your AWS account.
- Policy Name: This column shows the name of the corresponding IAM policy.
- Version Id: This column shows the version id of your IAM policies.
Filters applicable:
| Filter Name | Description |
| Account Id | Applying the account Id filter will display data for the selected account Id. |
| Compliance | Applying the compliance filter will display only those security checks which fall under the selected compliance. |
| Severity | Applying severity filter will display resources according to the selected severity type i.e. selecting critical will display all resources with critical severity. Same will be the case for Warning and Ok severity types. |
| Resource Tags | Applying resource tags filter will display those resources which have been assigned the selected resource tag. For e.g., A user has tagged some public snapshots by a resource tag named environment. Then selecting an environment from the resource tags filter will display all those resources tagged by the tag name environment. |
| Resource Tags Value | Applying resource tags value filter will display data which will have the selected resource tag value. For e.g. – Let’s say a user has tagged some resource by a tag named environment and has a value say production (environment: production).
Hence, the user can view data of all the resources which have “environment:production” tag assigned. The user can use the tag value filter only when a tag name has been provided. |
Compliances Covered:
| Compliance Name | Reference No. | Link |
| PCI | 7.1, 7.1.1, 7.1.2, 7.1.3, 7.1.4,7. | https://docs.aws.amazon.com/quickstart/ latest/compliance-pci/welcome.html |
| HIPAA | 164.308(a)(4)(i) | https://aws.amazon.com/quickstart/ architecture/compliance-hipaa/ |
| ISO 27001 | A.9.1.2
|
https://www.iso.org/standard/54534.html |
| GDPR | Article 25 | https://gdpr-info.eu/ |
| NIST 800-53 | AC-5, AC-6, CM-7 | https://docs.aws.amazon.com/quickstart/ latest/compliance-nist/welcome.html |
| CIS 1.1.0 | – | https://d0.awsstatic.com/ whitepapers/compliance/ AWS_CIS_Foundations_Benchmark.pdf |
Read more about AWS IAM and its policies.