Critical

IAM User with inline Admin access (*:*)

Security & Compliance
CISAWSF
Description

IAM User with inline Admin access is a situation where an IAM user has been granted the AWS managed AdministratorAccess policy or a custom policy that includes unrestricted * permissions. This gives the user full administrative access to the AWS account, allowing them to create, modify or delete any AWS resource, as well as manage other IAM users and roles. An IAM User with inline Admin access is considered a high-security risk since it can lead to accidental or intentional damage to the AWS environment, data leakage, or exposure of sensitive information. ‍

Remediation

If an IAM user has inline admin access, it means they have the ability to grant or revoke permissions to themselves or other users. This creates a security risk because it increases the likelihood of privilege escalation, which could lead to unauthorized access to sensitive resources. Here are the remediation steps:

  1. Identify the IAM user(s) with inline admin access by reviewing IAM policies and roles.
  2. Remove inline admin permissions from the affected user(s).
  3. Instead of using inline policies, create custom IAM policies and attach them to IAM roles. Assign the necessary permissions to the roles based on the principle of least privilege.
  4. Use IAM Access Analyzer to identify any remaining IAM access issues and resolve them.

By following these steps, the risk of privilege escalation by an IAM user can be significantly reduced. It is also recommended to review IAM policies and roles on a regular basis to ensure that access is properly managed and all users have the least privilege necessary to perform their job functions.

Enforced Resources
IAM User
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.