AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
IAM Managed Policies Should Be Attached To IAM Role
More Info:
Check if custom role policies are present
Risk Level
Medium
Address
Security
Compliance Standards
CBP,SEBI
Triage and Remediation
Remediation
To remediate the issue of IAM Managed Policies Without Associated IAM Role present in AWS IAM using the AWS Management Console, follow these step-by-step instructions:
-
Sign in to the AWS Management Console: Go to the AWS Management Console and sign in using your AWS account credentials.
-
Navigate to the IAM Service: Click on the “Services” dropdown in the top left corner of the console, and then select “IAM” under the Security, Identity, & Compliance section.
-
Identify Custom Role Policies: In the IAM console, click on the “Roles” option in the left-hand menu to view a list of IAM roles in your account.
-
Select the Role: Identify the IAM role that has custom policies attached to it. Click on the name of the role to view its details.
-
Remove Custom Policies: In the permissions tab of the IAM role details, you will see the list of policies attached to the role. Identify the custom policies that should not be present and click on the policy to select it.
-
Detach the Policy: Click on the “Detach Policy” button to remove the custom policy from the IAM role. Confirm the action when prompted.
-
Review and Save Changes: Review the updated permissions for the IAM role to ensure that only the necessary managed policies are attached. Click on the “Save Changes” button to apply the changes.
-
Verify Remediation: Once the custom role policies have been removed, verify that the IAM role now only has the necessary managed policies attached to it.
By following these steps, you can remediate the issue of IAM Managed Policies Without Associated IAM Role present in AWS IAM using the AWS Management Console.
To remediate the issue of IAM Managed Policies Without Associated IAM Role present in AWS using AWS CLI, you can follow these steps:
-
Identify the IAM roles with custom policies: Run the following AWS CLI command to list all IAM roles in your account along with their policies:
aws iam list-roles
-
Review the policies attached to each IAM role: For each IAM role identified in the previous step, run the following AWS CLI command to list the policies attached to the role:
aws iam list-role-policies --role-name <role-name>
-
Remove the custom policies attached to the IAM roles: For each IAM role that has custom policies attached, run the following AWS CLI command to detach the custom policy from the role:
aws iam delete-role-policy --role-name <role-name> --policy-name <policy-name>
-
Verify the custom policies have been removed: Run the following AWS CLI command to verify that the custom policy has been successfully removed from the IAM role:
aws iam list-role-policies --role-name <role-name>
-
Repeat the above steps for all IAM roles with custom policies attached to remediate the issue across all roles.
By following the above steps, you can remediate the issue of IAM Managed Policies Without Associated IAM Role present in AWS using AWS CLI.
To remediate the misconfiguration of IAM Managed Policies Without Associated IAM Role present in AWS using Python, you can follow these steps:
Step 1: List all IAM roles with custom policies attached
import boto3
client = boto3.client('iam')
response = client.list_roles()
for role in response['Roles']:
role_name = role['RoleName']
attached_policies = client.list_attached_role_policies(RoleName=role_name)['AttachedPolicies']
if attached_policies:
print(f"IAM Role {role_name} has custom policies attached.")
Step 2: Detach custom policies from IAM roles
for role in response['Roles']:
role_name = role['RoleName']
attached_policies = client.list_attached_role_policies(RoleName=role_name)['AttachedPolicies']
if attached_policies:
for policy in attached_policies:
policy_arn = policy['PolicyArn']
client.detach_role_policy(RoleName=role_name, PolicyArn=policy_arn)
print(f"Detached policy {policy_arn} from IAM Role {role_name}")
Step 3: Verify that custom policies have been successfully detached
response = client.list_roles()
for role in response['Roles']:
role_name = role['RoleName']
attached_policies = client.list_attached_role_policies(RoleName=role_name)['AttachedPolicies']
if attached_policies:
print(f"IAM Role {role_name} still has custom policies attached.")
else:
print(f"IAM Role {role_name} no longer has custom policies attached.")
By following these steps, you can remediate the misconfiguration of IAM Managed Policies Without Associated IAM Role present in AWS using Python.