Extra User Admins

This plugin makes sure that there are a minimal amount of IAM admins in the account.

Risk Level: Medium

Description: 

This plugin makes sure that there are a minimal amount of IAM admins in the account. It checks if the number of admins is in the specified range.

PingSafe strongly recommends keeping minimum users with admin permissions but ensuring other IAM users have more limited permissions.

About the Service :

AWS ID and Access Management (IAM) allows you to securely manage access to AWS services and resources. With IAM, AWS users and groups can be established and managed and permissions used to enable access by AWS resources and prohibit them.

We can discover and adjust the rules so that only the services are accessible. We can thus adhere better to the less privileged principle.

Impact : 

If more users have administrative authorization or authorization to create, modify or remove any resource, access any data within the AWS environment, and use any service or component their actions can lead to severe security problems, data leaks, data loss, or unexpected charges on your AWS bill.

Compliances covered :

Steps to reproduce :

  1. Login to AWS Management Console.
  2. Navigate to the IAM dashboard.
    https://console.aws.amazon.com/iam 
  3. Click on Users in the left navigation panel under the Identity and Access Management (IAM) heading.
  4. Click on the user you want to examine. Then under Permissions, check if there is an Administrator access policy in the Permission Policy.
  5. If the Administrator access policy is present in the Permission Policy, this suggests that the user has admin privileges.
  6. Repeat the same procedure for other users as well.

Steps for remediation :

  1. Login to AWS Management Console.
  2. Navigate to the IAM dashboard.
    https://console.aws.amazon.com/iam 
  3. Click on Users in the left navigation panel under the Identity and Access Management (IAM) heading.
  4. Click on the user you want to examine. Then under Permissions, check if there is an Administrator access policy in the Permission Policy.
  5. If the Administrator access policy is present in the Permission Policy, this suggests that the user has admin privileges.
  6. Remove the administrative privileges by clicking on the cross on the left of the policy name.
  7. Repeat the same procedure for other users as well.

References: