IAM Managed Policies Should Be Attached To IAM Role

Using Console

Using CLI

To prevent IAM Custom Role Policies from being present in IAM using AWS CLI, you can follow these steps:

List Existing IAM Roles: First, identify all the IAM roles in your AWS account to ensure you know which roles are currently configured.
```
aws iam list-roles
```
Check for Custom Policies Attached to Roles: For each role, check if there are any custom policies attached. This will help you identify roles that might have custom policies.
```
aws iam list-role-policies --role-name <role-name>
```
Detach Custom Policies from Roles: If you find any custom policies attached to a role, detach them to ensure that no custom policies are present.
```
aws iam delete-role-policy --role-name <role-name> --policy-name <policy-name>
```
Enforce Use of Managed Policies: Ensure that roles only use AWS managed policies or predefined policies by attaching them to the roles.
```
aws iam attach-role-policy --role-name <role-name> --policy-arn <arn:aws:iam::aws:policy/<policy-name>>
```

By following these steps, you can prevent the presence of custom role policies in IAM using AWS CLI.

Using Python

To prevent IAM Custom Role Policies from being present in IAM using Python scripts, you can follow these steps:

Set Up Environment and Install Required Libraries:
- Ensure you have the necessary SDKs installed for AWS, Azure, and GCP.
- For AWS, use boto3.
- For Azure, use azure-identity and azure-mgmt-authorization.
- For GCP, use google-cloud-iam.
Authenticate and Initialize Clients:
- Authenticate and initialize the respective clients for AWS, Azure, and GCP.
Check for Existing Custom Roles:
- Write scripts to list and check for existing custom roles in each cloud environment.
Prevent Creation of Custom Roles:
- Implement logic to prevent the creation of custom roles by monitoring and intercepting role creation requests.

Here are the Python scripts for each cloud provider:

AWS (Using `boto3`)

import boto3

# Initialize IAM client
iam_client = boto3.client('iam')

# List all custom roles
def list_custom_roles():
    roles = iam_client.list_roles()
    custom_roles = [role for role in roles['Roles'] if 'AWS' not in role['Arn']]
    return custom_roles

# Prevent creation of custom roles
def prevent_custom_roles():
    custom_roles = list_custom_roles()
    if custom_roles:
        print("Custom roles detected. Preventing creation of new custom roles.")
        # Implement logic to prevent creation of new custom roles
        # This could involve setting up IAM policies or alerts

prevent_custom_roles()

Azure (Using `azure-identity` and `azure-mgmt-authorization`)

from azure.identity import DefaultAzureCredential
from azure.mgmt.authorization import AuthorizationManagementClient

# Initialize Azure client
credential = DefaultAzureCredential()
subscription_id = 'your_subscription_id'
auth_client = AuthorizationManagementClient(credential, subscription_id)

# List all custom roles
def list_custom_roles():
    custom_roles = []
    for role in auth_client.role_definitions.list(scope='/subscriptions/' + subscription_id):
        if role.role_type == 'CustomRole':
            custom_roles.append(role)
    return custom_roles

# Prevent creation of custom roles
def prevent_custom_roles():
    custom_roles = list_custom_roles()
    if custom_roles:
        print("Custom roles detected. Preventing creation of new custom roles.")
        # Implement logic to prevent creation of new custom roles
        # This could involve setting up policies or alerts

prevent_custom_roles()

GCP (Using `google-cloud-iam`)

from google.cloud import iam_v1
from google.oauth2 import service_account

# Initialize GCP IAM client
credentials = service_account.Credentials.from_service_account_file('path_to_your_service_account_key.json')
iam_client = iam_v1.IAMClient(credentials=credentials)

# List all custom roles
def list_custom_roles():
    custom_roles = []
    project_id = 'your_project_id'
    roles = iam_client.list_roles(parent=f'projects/{project_id}')
    for role in roles:
        if role.stage == iam_v1.Role.Stage.CUSTOM:
            custom_roles.append(role)
    return custom_roles

# Prevent creation of custom roles
def prevent_custom_roles():
    custom_roles = list_custom_roles()
    if custom_roles:
        print("Custom roles detected. Preventing creation of new custom roles.")
        # Implement logic to prevent creation of new custom roles
        # This could involve setting up policies or alerts

prevent_custom_roles()

Summary

Set Up Environment and Install Required Libraries: Ensure you have the necessary SDKs installed.
Authenticate and Initialize Clients: Authenticate and initialize the respective clients for AWS, Azure, and GCP.
Check for Existing Custom Roles: Write scripts to list and check for existing custom roles in each cloud environment.
Prevent Creation of Custom Roles: Implement logic to prevent the creation of custom roles by monitoring and intercepting role creation requests.

These scripts will help you monitor and prevent the creation of custom IAM roles in AWS, Azure, and GCP.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

IAM Managed Policies Should Be Attached To IAM Role

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent