Policies with NotAction in the Statements

Using Console

Using CLI

To remediate the misconfiguration of policies with NotAction in the statements in AWS IAM using AWS CLI, follow these steps:

Identify the policies that contain NotAction in their statements. You can use the AWS CLI command list-policies to list all the policies in your AWS account.
```
aws iam list-policies
```
Note down the ARN or name of the policies that have NotAction in their statements.
Retrieve the policy document for each identified policy using the AWS CLI command get-policy-version. Replace <policy-arn> with the ARN of the policy you want to retrieve.
```
aws iam get-policy-version --policy-arn <policy-arn> --version-id v1
```
Note down the Document field value from the command output, as it contains the policy document.

Edit the policy document to remove the NotAction statement. You can use a text editor or a JSON editor to modify the policy document. Remove the NotAction field from each statement that contains it. For example, if the policy document looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "NotAction": "s3:GetObject",
            "Resource": "arn:aws:s3:::example-bucket/*"
        }
    ]
}

Modify it to remove the NotAction field:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::example-bucket/*"
        }
    ]
}

Once you have edited the policy document, save the changes.
Update the policy with the modified policy document using the AWS CLI command create-policy-version. Replace <policy-arn> with the ARN of the policy you want to update, and <modified-policy-document> with the path to the modified policy document JSON file.
```
aws iam create-policy-version --policy-arn <policy-arn> --policy-document file://<modified-policy-document> --set-as-default
```
This command creates a new version of the policy with the modified policy document and sets it as the default version.
Verify that the policy has been updated by checking the policy version using the AWS CLI command get-policy-version. Replace <policy-arn> with the ARN of the policy you updated.
```
aws iam get-policy-version --policy-arn <policy-arn> --version-id v2
```
Ensure that the Document field in the output matches the modified policy document.
Repeat steps 3-6 for each policy identified in step 1 that contains NotAction in its statements.

By following these steps, you can remediate the misconfiguration of policies with NotAction in the statements in AWS IAM using AWS CLI.

Using Python

To remediate the issue of policies with NotAction in the statements in AWS IAM using Python, follow these steps:

Install the required dependencies:
- Install the AWS SDK for Python (Boto3) using the command: pip install boto3
Configure your AWS credentials:
- Open the AWS Management Console and go to the IAM service.
- Create an IAM user with the necessary permissions to modify IAM policies.
- Generate an access key and secret access key for the IAM user.
- Configure your AWS credentials by running the command: aws configure and provide the access key, secret access key, and region.
Write a Python script to remediate the misconfigured policies. Below is an example script:

import boto3

def remediate_policies():
    # Create an IAM client
    iam_client = boto3.client('iam')

    # List all the policies in IAM
    response = iam_client.list_policies()

    # Iterate through each policy
    for policy in response['Policies']:
        # Get the policy details
        policy_arn = policy['Arn']
        policy_version = iam_client.get_policy(PolicyArn=policy_arn)['Policy']['DefaultVersionId']
        policy_document = iam_client.get_policy_version(PolicyArn=policy_arn, VersionId=policy_version)['PolicyVersion']['Document']

        # Check if the policy contains a NotAction statement
        if 'NotAction' in policy_document['Statement']:
            # Remove the NotAction statement from the policy
            policy_document['Statement'].pop('NotAction')

            # Update the policy with the modified document
            iam_client.create_policy_version(
                PolicyArn=policy_arn,
                PolicyDocument=policy_document,
                SetAsDefault=True
            )

            print(f"Policy {policy_arn} has been remediated.")

remediate_policies()

Run the Python script:
- Save the script in a file, for example, remediate_policies.py.
- Open a terminal or command prompt and navigate to the directory containing the script.
- Run the command: python remediate_policies.py.

The script will iterate through all the policies in your AWS account and remove the NotAction statement from any policies that contain it. The modified policies will be updated with the new version, replacing the old version.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Policies with NotAction in the Statements

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation