AWS Account Should Not Have Too Many Admins

More Info:

Your AWS account has too many admins.

Risk Level

Low

Address

Security, Operational Maturity

Compliance Standards

CBP

Triage and Remediation

How to Prevent

Using Console

Using CLI

To prevent having too many administrators in AWS IAM using the AWS CLI, you can follow these steps:

List Current IAM Users and Their Policies: First, identify all IAM users and their attached policies to understand who has administrative privileges.
```
aws iam list-users
aws iam list-attached-user-policies --user-name <user-name>
```
Identify Users with Admin Access: Check which users have policies that grant administrative access. Look for policies like AdministratorAccess.
```
aws iam get-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
```
Create a Least Privilege Policy: Create a custom policy that grants only the necessary permissions instead of full administrative access.
```
aws iam create-policy --policy-name LeastPrivilegePolicy --policy-document file://least_privilege_policy.json
```

Attach the Least Privilege Policy and Detach Admin Policy: Attach the newly created least privilege policy to the necessary users and detach the AdministratorAccess policy.

aws iam attach-user-policy --user-name <user-name> --policy-arn arn:aws:iam::<account-id>:policy/LeastPrivilegePolicy
aws iam detach-user-policy --user-name <user-name> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

By following these steps, you can ensure that only necessary permissions are granted to IAM users, thereby reducing the number of administrators in your AWS account.

Using Python

To prevent having too many administrators in AWS IAM using Python scripts, you can follow these steps:

List All IAM Users and Their Policies: Use the boto3 library to list all IAM users and their attached policies. This will help you identify users with administrative privileges.

import boto3

iam_client = boto3.client('iam')

def list_users():
    users = iam_client.list_users()
    return users['Users']

def list_user_policies(user_name):
    policies = iam_client.list_attached_user_policies(UserName=user_name)
    return policies['AttachedPolicies']

users = list_users()
for user in users:
    user_name = user['UserName']
    policies = list_user_policies(user_name)
    print(f"User: {user_name}, Policies: {policies}")

Identify Admin Policies: Check if the policies attached to users grant administrative privileges. Typically, the AdministratorAccess policy is used for admin privileges.

def is_admin_policy(policy_arn):
    admin_policies = [
        'arn:aws:iam::aws:policy/AdministratorAccess'
    ]
    return policy_arn in admin_policies

admin_users = []
for user in users:
    user_name = user['UserName']
    policies = list_user_policies(user_name)
    for policy in policies:
        if is_admin_policy(policy['PolicyArn']):
            admin_users.append(user_name)
            break

print(f"Admin Users: {admin_users}")

Set a Limit on the Number of Admins: Define a threshold for the maximum number of admin users allowed. If the number of admin users exceeds this threshold, log a warning or take appropriate action.

MAX_ADMINS = 3

if len(admin_users) > MAX_ADMINS:
    print(f"Warning: Too many admin users! Current count: {len(admin_users)}")
else:
    print(f"Admin user count is within the limit: {len(admin_users)}")

Automate the Monitoring Process: Schedule this script to run periodically using AWS Lambda and CloudWatch Events to ensure continuous monitoring and compliance.

import json
import logging

logger = logging.getLogger()
logger.setLevel(logging.INFO)

def lambda_handler(event, context):
    users = list_users()
    admin_users = []
    for user in users:
        user_name = user['UserName']
        policies = list_user_policies(user_name)
        for policy in policies:
            if is_admin_policy(policy['PolicyArn']):
                admin_users.append(user_name)
                break

    if len(admin_users) > MAX_ADMINS:
        logger.warning(f"Too many admin users! Current count: {len(admin_users)}")
    else:
        logger.info(f"Admin user count is within the limit: {len(admin_users)}")

    return {
        'statusCode': 200,
        'body': json.dumps('Script executed successfully')
    }

By following these steps, you can effectively monitor and prevent having too many administrators in your AWS IAM setup using Python scripts.

Additional Reading:

https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

AWS Account Should Not Have Too Many Admins

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​How to Prevent

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent

Additional Reading: