Blacklisted IAM Policies Should Be Checked

More Info:

This rule checks each AWS Identity and Access Management (IAM) resource to see if a policy with the specified Amazon Resource Name (ARN) in the input parameter is attached. The rule is NON_COMPLIANT if the specified policy ARN is attached to the IAM resource.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Prevention
Cause
Remediation

How to Prevent

Using Console

To prevent blacklisted IAM policies in AWS using the AWS Management Console, follow these steps:

Review IAM Policies Regularly:
- Navigate to the IAM Dashboard in the AWS Management Console.
- Click on “Policies” in the left-hand menu.
- Regularly review the list of policies to ensure none of them are blacklisted or overly permissive.
Use IAM Access Analyzer:
- In the IAM Dashboard, select “Access Analyzer” from the left-hand menu.
- Create an analyzer if you haven’t already.
- Use the analyzer to identify and review policies that grant access to resources outside your organization or that are overly permissive.
Enable AWS Config Rules:
- Go to the AWS Config service in the AWS Management Console.
- Create or use existing AWS Config rules to continuously monitor IAM policies.
- Enable rules such as IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS to detect and alert on blacklisted policies.
Implement Policy Validation:
- When creating or updating IAM policies, use the policy validation feature.
- In the IAM policy editor, click on “Validate Policy” to check for any issues or overly permissive permissions.
- Address any warnings or errors before saving the policy.

By following these steps, you can proactively prevent the use of blacklisted IAM policies in your AWS environment.

Using CLI

To prevent blacklisted IAM policies in AWS using the AWS CLI, you can follow these steps:

List Existing IAM Policies:
- First, you need to list all the existing IAM policies to identify any that might be blacklisted.
```
aws iam list-policies --scope Local
```
Describe IAM Policies:
- For each policy, describe the policy to get its details and check if it matches any blacklisted criteria.
```
aws iam get-policy --policy-arn <policy-arn>
```
Create a Policy with Allowed Actions:
- Create IAM policies that only include allowed actions and avoid any blacklisted actions.
```
aws iam create-policy --policy-name <policy-name> --policy-document file://<policy-document.json>
```

Attach Policies to Users, Groups, or Roles:

Ensure that only the approved policies are attached to users, groups, or roles.

aws iam attach-user-policy --user-name <user-name> --policy-arn <policy-arn>
aws iam attach-group-policy --group-name <group-name> --policy-arn <policy-arn>
aws iam attach-role-policy --role-name <role-name> --policy-arn <policy-arn>

By following these steps, you can prevent the use of blacklisted IAM policies in your AWS environment using the AWS CLI.

Using Python

To prevent blacklisted IAM policies in AWS, Azure, and GCP using Python scripts, you can follow these steps:

AWS (Amazon Web Services)

Install Boto3 Library: Ensure you have the Boto3 library installed to interact with AWS services.
```
pip install boto3
```

Define Blacklisted Policies: Create a list of blacklisted policies that you want to check against.

blacklisted_policies = [
    "arn:aws:iam::aws:policy/AdministratorAccess",
    "arn:aws:iam::aws:policy/IAMFullAccess",
    # Add more policies as needed
]

Check IAM Policies: Write a script to list all IAM policies and check if any of them are blacklisted.

import boto3

def check_blacklisted_policies():
    iam_client = boto3.client('iam')
    response = iam_client.list_policies(Scope='Local')
    policies = response['Policies']

    for policy in policies:
        if policy['Arn'] in blacklisted_policies:
            print(f"Blacklisted policy found: {policy['Arn']}")

check_blacklisted_policies()

Automate and Schedule: Automate the script to run at regular intervals using AWS Lambda or a cron job to ensure continuous compliance.

Azure (Microsoft Azure)

Install Azure SDK: Ensure you have the Azure SDK installed to interact with Azure services.
```
pip install azure-identity azure-mgmt-authorization
```

Define Blacklisted Policies: Create a list of blacklisted policies that you want to check against.

blacklisted_policies = [
    "/providers/Microsoft.Authorization/policyDefinitions/Owner",
    "/providers/Microsoft.Authorization/policyDefinitions/UserAccessAdministrator",
    # Add more policies as needed
]

Check IAM Policies: Write a script to list all IAM policies and check if any of them are blacklisted.

from azure.identity import DefaultAzureCredential
from azure.mgmt.authorization import AuthorizationManagementClient

credential = DefaultAzureCredential()
subscription_id = 'your-subscription-id'
client = AuthorizationManagementClient(credential, subscription_id)

def check_blacklisted_policies():
    policies = client.policy_definitions.list()
    for policy in policies:
        if policy.id in blacklisted_policies:
            print(f"Blacklisted policy found: {policy.id}")

check_blacklisted_policies()

Automate and Schedule: Automate the script to run at regular intervals using Azure Functions or a cron job to ensure continuous compliance.

GCP (Google Cloud Platform)

Install Google Cloud SDK: Ensure you have the Google Cloud SDK installed to interact with GCP services.
```
pip install google-auth google-cloud-iam
```

Define Blacklisted Policies: Create a list of blacklisted policies that you want to check against.

blacklisted_policies = [
    "roles/owner",
    "roles/editor",
    # Add more policies as needed
]

Check IAM Policies: Write a script to list all IAM policies and check if any of them are blacklisted.

from google.cloud import iam_v1
from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file('path-to-your-service-account-file.json')
client = iam_v1.IAMClient(credentials=credentials)

def check_blacklisted_policies():
    policies = client.list_roles()
    for policy in policies:
        if policy.name in blacklisted_policies:
            print(f"Blacklisted policy found: {policy.name}")

check_blacklisted_policies()

Automate and Schedule: Automate the script to run at regular intervals using Google Cloud Functions or a cron job to ensure continuous compliance.

By following these steps, you can prevent the use of blacklisted IAM policies across AWS, Azure, and GCP using Python scripts.

Check Cause

Using Console

Log in to the AWS Management Console and navigate to the IAM dashboard.
In the IAM dashboard, click on “Policies” in the left navigation pane. This will display a list of all the IAM policies that are currently in use.
Use the Filter policies search box to find the IAM policies that you want to check. You can filter the policies by policy name, policy type, or by the services that the policy grants access to.
Once you have located the IAM policies that you want to check, click on the policy name to open the policy details page. Here, you can review the policy document to check if it contains any blacklisted actions or resources. If the policy document contains any blacklisted actions or resources, it means that the IAM policy is misconfigured.

Using CLI

First, you need to install and configure AWS CLI on your local machine. You can download it from the official AWS website and configure it using the “aws configure” command. You will be prompted to provide your AWS Access Key ID, Secret Access Key, Default region name, and Default output format.
Once the AWS CLI is set up, you can list all the IAM policies in your AWS account using the following command:
```
aws iam list-policies --scope Local
```
This command will return a list of all IAM policies that are created within your AWS account (Local scope).
To check if any of these policies are blacklisted, you need to have a list of blacklisted policy ARNs. Once you have this list, you can compare the ARNs of the policies returned by the above command with the blacklisted ARNs. This can be done using a simple script in Python or any other scripting language.

Here is a simple Python script that checks if any of the policies are blacklisted:

import json
import subprocess

# List of blacklisted policy ARNs
blacklisted_policies = ["arn:aws:iam::aws:policy/BlacklistedPolicy1", "arn:aws:iam::aws:policy/BlacklistedPolicy2"]

# Command to list all IAM policies
command = ["aws", "iam", "list-policies", "--scope", "Local"]

# Execute the command
output = subprocess.check_output(command)

# Parse the output
policies = json.loads(output)

# Check each policy
for policy in policies["Policies"]:
    if policy["Arn"] in blacklisted_policies:
        print(f"Blacklisted policy detected: {policy['Arn']}")

This script executes the AWS CLI command to list all IAM policies, parses the output, and checks if any of the policy ARNs are in the list of blacklisted policies. If a blacklisted policy is detected, it prints a message with the ARN of the policy.

Using Python

Import necessary libraries: The first step is to import the necessary libraries in your Python script. You will need the boto3 library for AWS, azure.identity and azure.mgmt.resource for Azure, and google.cloud for GCP.
```
import boto3
from azure.identity import DefaultAzureCredential
from azure.mgmt.resource import ResourceManagementClient
from google.cloud import resource_manager
```
Create a client for the respective cloud service: The next step is to create a client for the respective cloud service. For AWS, you can use the boto3 client for IAM. For Azure, you can use the ResourceManagementClient. For GCP, you can use the resource_manager.Client().
```
# AWS
client = boto3.client('iam')

# Azure
credential = DefaultAzureCredential()
resource_client = ResourceManagementClient(credential, "<subscription_id>")

# GCP
client = resource_manager.Client()
```

Retrieve and check IAM policies: Now, you can retrieve the IAM policies and check if any of them are blacklisted. For AWS, you can use the list_policies method. For Azure, you can use the policy_definitions.list() method. For GCP, you can use the get_policy method.

# AWS
response = client.list_policies(Scope='All')
for policy in response['Policies']:
    if policy['PolicyName'] in blacklisted_policies:
        print(f"Blacklisted policy found: {policy['PolicyName']}")

# Azure
for policy in resource_client.policy_definitions.list():
    if policy.name in blacklisted_policies:
        print(f"Blacklisted policy found: {policy.name}")

# GCP
for project in client.list_projects():
    policy = client.get_policy(project.project_id)
    for binding in policy.bindings:
        if binding.role in blacklisted_policies:
            print(f"Blacklisted policy found: {binding.role}")

Blacklisted policies list: The blacklisted_policies in the above scripts should be a list of policy names that you consider as blacklisted. This list should be defined before checking the policies.
```
blacklisted_policies = ['blacklisted_policy1', 'blacklisted_policy2', 'blacklisted_policy3']
```

Please replace <subscription_id> with your Azure subscription id. Also, replace blacklisted_policy1, blacklisted_policy2, blacklisted_policy3 with the actual names of the blacklisted policies.

Remediation

Using Console

To remediate the issue of blacklisted IAM policies in AWS IAM using the AWS Management Console, follow these step-by-step instructions:

Login to AWS Console: Go to the AWS Management Console (https://aws.amazon.com/) and log in using your credentials.
Navigate to IAM Service: Click on the “Services” dropdown menu at the top left corner of the console, then select “IAM” under the Security, Identity, & Compliance section.
Check IAM Policies: In the IAM dashboard, click on “Policies” in the left-hand menu to view the list of IAM policies in your account.
Identify Blacklisted Policies: Look through the list of policies to identify any blacklisted policies. These policies may contain overly permissive permissions or be known to be insecure.
Review Policy Details: Click on the blacklisted policy to review its details, including the permissions it grants and the resources it affects.
Edit or Delete Policy: Depending on the policy, you can either edit the policy to remove the blacklisted permissions or delete the policy entirely if it is not needed.
Edit Policy: To edit the policy, click on the “Edit policy” button and make the necessary changes to remove the blacklisted permissions. Ensure that the policy follows the principle of least privilege.
Delete Policy: If the policy is unnecessary or cannot be securely modified, you can delete the policy by selecting it and clicking on the “Delete policy” button.
Monitor and Audit: Regularly monitor your IAM policies to ensure that blacklisted policies do not reappear and conduct periodic audits to review and update permissions.
Implement IAM Best Practices: To prevent future blacklisted IAM policies, follow IAM best practices such as using IAM roles, implementing MFA, and regularly rotating access keys.

By following these steps, you can remediate the issue of blacklisted IAM policies in AWS IAM using the AWS Management Console and ensure that your IAM policies adhere to security best practices.

Using CLI

To remediate blacklisted IAM policies in AWS IAM using AWS CLI, follow these steps:

Identify the blacklisted IAM policies:
- Run the following AWS CLI command to list all IAM policies in your AWS account:
  aws iam list-policies
- Review the list of policies and identify the blacklisted policies that need to be remediated.
Detach the blacklisted IAM policies from any IAM users, groups, or roles:
- Run the following AWS CLI command to list all IAM users, groups, and roles in your AWS account:
  aws iam list-users aws iam list-groups aws iam list-roles
- For each IAM entity (user, group, or role) that has the blacklisted policy attached, run the following AWS CLI command to detach the policy:
  aws iam detach-user-policy --user-name <user-name> --policy-arn <policy-arn> aws iam detach-group-policy --group-name <group-name> --policy-arn <policy-arn> aws iam detach-role-policy --role-name <role-name> --policy-arn <policy-arn>
  Replace <user-name>, <group-name>, <role-name>, and <policy-arn> with the appropriate values.
Delete the blacklisted IAM policies:
- Run the following AWS CLI command to delete the blacklisted policies:
  aws iam delete-policy --policy-arn <policy-arn>
  Replace <policy-arn> with the ARN of the blacklisted policy.
Monitor and verify:
- Run the following AWS CLI command to ensure that the blacklisted policies have been successfully detached and deleted:
  aws iam list-entities-for-policy --policy-arn <policy-arn>
- Verify that the blacklisted policies no longer appear in the list of attached policies.

By following these steps, you can effectively remediate blacklisted IAM policies in AWS IAM using AWS CLI.

Using Python

To remediate blacklisted IAM policies in AWS IAM using Python, follow these steps:

Install the AWS SDK for Python (Boto3) if you haven’t already. You can install it using pip:
```
pip install boto3
```
Create a Python script to list all IAM policies and check if any blacklisted policies are attached to any IAM users, groups, or roles. Here is an example script to get you started:

import boto3

# Define the blacklisted IAM policies
blacklisted_policies = ['arn:aws:iam::aws:policy/AdministratorAccess', 'arn:aws:iam::aws:policy/PowerUserAccess']

# Create an AWS IAM client
iam_client = boto3.client('iam')

# List all IAM policies
response = iam_client.list_policies()

# Check if any blacklisted policies are attached to any IAM users, groups, or roles
for policy in response['Policies']:
    policy_arn = policy['Arn']
    if policy_arn in blacklisted_policies:
        response = iam_client.list_entities_for_policy(PolicyArn=policy_arn)
        for entity_type, entities in response['PolicyGroups'], response['PolicyUsers'], response['PolicyRoles']:
            for entity in entities:
                print(f"Detected blacklisted policy {policy_arn} attached to {entity_type}: {entity['Arn']}")

Run the Python script to identify any IAM entities that have blacklisted policies attached. If any are found, you can remove the blacklisted policies from the entities using the detach_policy method in the Boto3 IAM client.
To detach a policy from an IAM user, group, or role, you can use the detach_policy method. Here is an example code snippet to detach a policy from an IAM user:

iam_client.detach_user_policy(UserName='example_user', PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess')

Repeat the detachment process for all IAM entities that have blacklisted policies attached until all blacklisted policies are removed.

By following these steps, you can remediate blacklisted IAM policies in AWS IAM using Python.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Blacklisted IAM Policies Should Be Checked

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent

AWS (Amazon Web Services)

Azure (Microsoft Azure)

GCP (Google Cloud Platform)

Check Cause

Remediation

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​How to Prevent

​AWS (Amazon Web Services)

​Azure (Microsoft Azure)

​GCP (Google Cloud Platform)

​Check Cause

​Remediation

​

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent

AWS (Amazon Web Services)

Azure (Microsoft Azure)

GCP (Google Cloud Platform)

Check Cause

Remediation