AWS Account Should Not Have Too Many Admins

More Info:

Your AWS account has too many admins.

Risk Level

Low

Address

Security, Operational Maturity

Compliance Standards

CBP

Triage and Remediation

Prevention
Cause
Remediation

How to Prevent

Using Console

To prevent having too many administrators in AWS IAM using the AWS Management Console, follow these steps:

Review IAM Users and Groups:
- Navigate to the IAM Dashboard in the AWS Management Console.
- Click on “Users” to review the list of IAM users.
- Click on “Groups” to review the list of IAM groups.
Identify Admin Privileges:
- For each user and group, check the attached policies.
- Look for policies that grant administrative privileges, such as AdministratorAccess.
Limit Admin Access:
- Reduce the number of users and groups with the AdministratorAccess policy.
- Assign more restrictive policies that grant only the necessary permissions for specific tasks.
Implement Least Privilege Principle:
- Create custom policies that provide only the permissions required for users to perform their job functions.
- Regularly review and update these policies to ensure they align with current needs and security best practices.

By following these steps, you can effectively manage and limit the number of administrators in your AWS account, thereby enhancing security.

Using CLI

To prevent having too many administrators in AWS IAM using the AWS CLI, you can follow these steps:

List Current IAM Users and Their Policies: First, identify all IAM users and their attached policies to understand who has administrative privileges.
```
aws iam list-users
aws iam list-attached-user-policies --user-name <user-name>
```
Identify Users with Admin Access: Check which users have policies that grant administrative access. Look for policies like AdministratorAccess.
```
aws iam get-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
```
Create a Least Privilege Policy: Create a custom policy that grants only the necessary permissions instead of full administrative access.
```
aws iam create-policy --policy-name LeastPrivilegePolicy --policy-document file://least_privilege_policy.json
```

Attach the Least Privilege Policy and Detach Admin Policy: Attach the newly created least privilege policy to the necessary users and detach the AdministratorAccess policy.

aws iam attach-user-policy --user-name <user-name> --policy-arn arn:aws:iam::<account-id>:policy/LeastPrivilegePolicy
aws iam detach-user-policy --user-name <user-name> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

By following these steps, you can ensure that only necessary permissions are granted to IAM users, thereby reducing the number of administrators in your AWS account.

Using Python

To prevent having too many administrators in AWS IAM using Python scripts, you can follow these steps:

List All IAM Users and Their Policies: Use the boto3 library to list all IAM users and their attached policies. This will help you identify users with administrative privileges.

import boto3

iam_client = boto3.client('iam')

def list_users():
    users = iam_client.list_users()
    return users['Users']

def list_user_policies(user_name):
    policies = iam_client.list_attached_user_policies(UserName=user_name)
    return policies['AttachedPolicies']

users = list_users()
for user in users:
    user_name = user['UserName']
    policies = list_user_policies(user_name)
    print(f"User: {user_name}, Policies: {policies}")

Identify Admin Policies: Check if the policies attached to users grant administrative privileges. Typically, the AdministratorAccess policy is used for admin privileges.

def is_admin_policy(policy_arn):
    admin_policies = [
        'arn:aws:iam::aws:policy/AdministratorAccess'
    ]
    return policy_arn in admin_policies

admin_users = []
for user in users:
    user_name = user['UserName']
    policies = list_user_policies(user_name)
    for policy in policies:
        if is_admin_policy(policy['PolicyArn']):
            admin_users.append(user_name)
            break

print(f"Admin Users: {admin_users}")

Set a Limit on the Number of Admins: Define a threshold for the maximum number of admin users allowed. If the number of admin users exceeds this threshold, log a warning or take appropriate action.

MAX_ADMINS = 3

if len(admin_users) > MAX_ADMINS:
    print(f"Warning: Too many admin users! Current count: {len(admin_users)}")
else:
    print(f"Admin user count is within the limit: {len(admin_users)}")

Automate the Monitoring Process: Schedule this script to run periodically using AWS Lambda and CloudWatch Events to ensure continuous monitoring and compliance.

import json
import logging

logger = logging.getLogger()
logger.setLevel(logging.INFO)

def lambda_handler(event, context):
    users = list_users()
    admin_users = []
    for user in users:
        user_name = user['UserName']
        policies = list_user_policies(user_name)
        for policy in policies:
            if is_admin_policy(policy['PolicyArn']):
                admin_users.append(user_name)
                break

    if len(admin_users) > MAX_ADMINS:
        logger.warning(f"Too many admin users! Current count: {len(admin_users)}")
    else:
        logger.info(f"Admin user count is within the limit: {len(admin_users)}")

    return {
        'statusCode': 200,
        'body': json.dumps('Script executed successfully')
    }

By following these steps, you can effectively monitor and prevent having too many administrators in your AWS IAM setup using Python scripts.

Check Cause

Using Console

Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, choose “Users”. This will display a list of all IAM users associated with the current AWS account.
For each user, under the “Permissions” tab, check the attached policies. If a user has “AdministratorAccess” or any other policy that grants full access to AWS services and resources, they are considered an admin.
Count the number of users with admin access. If the number is high (based on your organization’s policy), then it’s a misconfiguration. The exact number that constitutes “too many” can vary depending on the size and nature of your organization.

Using CLI

Install and configure AWS CLI: Before you can start using AWS CLI, you need to install it on your local machine. You can download it from the official AWS website. After installation, you need to configure it with your AWS account credentials. You can do this by running the command aws configure and then entering your AWS Access Key ID, Secret Access Key, Default region name, and Default output format when prompted.
List all IAM users: Use the AWS CLI command aws iam list-users to list all the IAM users in your AWS account. This command will return a JSON object that contains information about all IAM users.
List all IAM policies: Use the AWS CLI command aws iam list-policies to list all the IAM policies in your AWS account. This command will return a JSON object that contains information about all IAM policies.
Check for admin policies: Now, you need to check if any of the listed IAM users have admin policies attached to them. You can do this by running the AWS CLI command aws iam list-attached-user-policies --user-name <username> for each user. Replace <username> with the name of the IAM user. This command will return a list of all policies attached to the specified IAM user. If the list contains an admin policy, then the user has admin privileges. Repeat this step for all IAM users. If the number of users with admin privileges is too high, then your AWS account has too many admins.

Using Python

Install the necessary AWS SDK for Python (Boto3) if you haven’t done so already. You can install it using pip:

pip install boto3

Import the necessary modules and create a session using your AWS credentials:

import boto3

session = boto3.Session(
    aws_access_key_id='YOUR_ACCESS_KEY',
    aws_secret_access_key='YOUR_SECRET_KEY',
    aws_session_token='SESSION_TOKEN',
)

Use the IAM client to get a list of all IAM users:

iam = session.client('iam')

users = iam.list_users()['Users']

For each user, check if they have administrative privileges. This can be done by checking if the user has the ‘AdministratorAccess’ policy attached:

admin_count = 0
for user in users:
    policies = iam.list_attached_user_policies(UserName=user['UserName'])['AttachedPolicies']
    for policy in policies:
        if policy['PolicyName'] == 'AdministratorAccess':
            admin_count += 1

print(f"Number of admins: {admin_count}")

This script will print the number of users with administrative privileges. If this number is too high, it may indicate a misconfiguration.

Remediation

Using Console

The following are the step by step instructions to remediate the AWS misconfiguration:

Log in to your AWS Management Console using your administrator credentials.
Navigate to the AWS Identity and Access Management (IAM) dashboard.
Click on the “Users” option in the left-hand menu.
Review the list of users and identify any users with the “AdministratorAccess” policy attached to their account.
Select the user(s) that you want to remove the “AdministratorAccess” policy from.
Click on the “Permissions” tab.
Click on the “Detach Policy” button next to the “AdministratorAccess” policy.
Confirm the action by clicking on the “Detach” button.
Repeat steps 5-8 for any additional users with the “AdministratorAccess” policy attached to their account.
Create a new IAM group with the necessary permissions for the users that no longer have “AdministratorAccess” policy attached to their account.
Add the users to the new group.
Monitor the IAM dashboard to ensure that no new users are granted the “AdministratorAccess” policy.

By following these steps, you can remediate the AWS misconfiguration by reducing the number of users with “AdministratorAccess” policy attached to their accounts, and providing them with only the necessary permissions to perform their job duties.

Using CLI

Step-by-Step Instructions to remediate the AWS misconfiguration “AWS Account Should Not Have Too Many Admins” using AWS CLI:

Identify the number of IAM users with admin access in your AWS account: Run the following AWS CLI command to list all the IAM users with admin access:
```
aws iam list-users --query 'Users[?join(``,`[`,{AccessKeyMetadata:AccessKeys}[?Status==`Active`].AccessKeyId,`]`)]' --output table
```
This command will list all the IAM users with their Access Key IDs in a table format. Review the output and count the number of users with admin access.
Create a new IAM group with limited permissions: Run the following AWS CLI command to create a new IAM group with limited permissions:
```
aws iam create-group --group-name <group-name>
```
Replace <group-name> with a name for the new IAM group. This group will have limited permissions and will not have admin access.
Remove admin access from the IAM users: Run the following AWS CLI command to remove admin access from the IAM users:
```
aws iam remove-user-from-group --group-name admin --user-name <user-name>
```
Replace <user-name> with the name of the IAM user you want to remove from the admin group. Repeat this command for each IAM user with admin access.
Add the IAM users to the new IAM group: Run the following AWS CLI command to add the IAM users to the new IAM group:
```
aws iam add-user-to-group --group-name <group-name> --user-name <user-name>
```
Replace <group-name> with the name of the new IAM group and <user-name> with the name of the IAM user you want to add to the group. Repeat this command for each IAM user you want to add to the group.
Verify the changes: Run the following AWS CLI command to verify that the IAM users no longer have admin access:
```
aws iam list-groups-for-user --user-name <user-name> --query 'Groups[].GroupName' --output table
```
Replace <user-name> with the name of an IAM user you removed from the admin group. This command will list all the IAM groups that the user belongs to. Verify that the user is not in the admin group anymore and is only in the new group with limited permissions. Repeat this command for each IAM user you removed from the admin group.
Delete the admin IAM group: Run the following AWS CLI command to delete the admin IAM group:
```
aws iam delete-group --group-name admin
```
This will delete the admin IAM group and remove all the IAM users from it.

Using Python

To remediate the issue of having too many admins in AWS using Python, you can follow the below steps:

Identify the IAM users with admin privileges:
- Use the AWS SDK for Python (Boto3) to list all the IAM users in the account.
- For each user, check if they have the “AdministratorAccess” policy attached to their IAM user or group.
- If they do, add their username to a list of users with admin privileges.

Here is the sample code to identify the IAM users with admin privileges:

import boto3

# Create an IAM client
iam = boto3.client('iam')

# List all the IAM users in the account
response = iam.list_users()

# Initialize an empty list to store the usernames with admin privileges
admins = []

# Check each user for the "AdministratorAccess" policy
for user in response['Users']:
    response = iam.list_attached_user_policies(UserName=user['UserName'])
    for policy in response['AttachedPolicies']:
        if policy['PolicyName'] == 'AdministratorAccess':
            admins.append(user['UserName'])

print("Users with admin privileges: ", admins)

Remove the admin privileges from the identified users:
- For each user in the list of admins, remove the “AdministratorAccess” policy from their IAM user or group.
- Alternatively, you can create a new IAM policy with limited permissions and attach it to these users instead of the “AdministratorAccess” policy.

Here is the sample code to remove the “AdministratorAccess” policy from the identified users:

import boto3

# Create an IAM client
iam = boto3.client('iam')

# List all the IAM users in the account
response = iam.list_users()

# Initialize an empty list to store the usernames with admin privileges
admins = []

# Check each user for the "AdministratorAccess" policy
for user in response['Users']:
    response = iam.list_attached_user_policies(UserName=user['UserName'])
    for policy in response['AttachedPolicies']:
        if policy['PolicyName'] == 'AdministratorAccess':
            admins.append(user['UserName'])

# Remove the "AdministratorAccess" policy from the identified users
for admin in admins:
    response = iam.list_attached_user_policies(UserName=admin)
    for policy in response['AttachedPolicies']:
        if policy['PolicyName'] == 'AdministratorAccess':
            iam.detach_user_policy(UserName=admin, PolicyArn=policy['PolicyArn'])

print("Admin privileges removed from users: ", admins)

Note: Before running the above code, make sure you have the necessary AWS credentials configured on your system.

Additional Reading:

https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

AWS Account Should Not Have Too Many Admins

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent

Check Cause

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Documentation Index

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​How to Prevent

​Check Cause

​Remediation

​

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent

Check Cause

Remediation

Additional Reading: