CreatePolicyVersion
CreatePolicyVersion
Event Information
- The CreatePolicyVersion event in AWS for IAM refers to the action of creating a new version of an IAM policy.
- This event is triggered when a user or an automated process creates a new version of an existing IAM policy.
- Each version of an IAM policy represents a snapshot of the policy at a specific point in time and can be used to track changes and manage policy updates.
Examples
-
If the IAM policy being created allows overly permissive permissions, it can lead to security risks by granting excessive access to resources. This can potentially result in unauthorized access, data breaches, or privilege escalation attacks.
-
If the IAM policy being created does not follow the principle of least privilege, it can lead to security vulnerabilities. This means that users or roles may have more permissions than necessary, increasing the attack surface and potential impact of a compromised account.
-
If the IAM policy being created does not properly enforce multi-factor authentication (MFA) for sensitive actions, it can weaken the overall security posture. Without MFA, an attacker who gains access to the IAM credentials can perform actions with elevated privileges without additional authentication, increasing the risk of unauthorized access.
Remediation
Using Console
-
Example 1: Enforce strong password policy for IAM users
- Step 1: Login to the AWS Management Console.
- Step 2: Go to the IAM service.
- Step 3: Click on “Account settings” in the left navigation pane.
- Step 4: Under the “Password policy” section, click on “Edit”.
- Step 5: Enable the “Require at least one uppercase letter” option.
- Step 6: Enable the “Require at least one lowercase letter” option.
- Step 7: Enable the “Require at least one number” option.
- Step 8: Enable the “Require at least one non-alphanumeric character” option.
- Step 9: Set the “Minimum password length” to an appropriate value.
- Step 10: Click on “Apply password policy”.
-
Example 2: Enable multi-factor authentication (MFA) for IAM users
- Step 1: Login to the AWS Management Console.
- Step 2: Go to the IAM service.
- Step 3: Click on “Users” in the left navigation pane.
- Step 4: Select the IAM user for which you want to enable MFA.
- Step 5: Click on the “Security credentials” tab.
- Step 6: Under the “Multi-factor authentication (MFA)” section, click on “Manage”.
- Step 7: Click on “Activate MFA”.
- Step 8: Choose the appropriate MFA device option (e.g., virtual MFA device, hardware MFA device).
- Step 9: Follow the on-screen instructions to set up the MFA device.
- Step 10: Click on “Assign MFA”.
-
Example 3: Enable AWS CloudTrail for logging IAM events
- Step 1: Login to the AWS Management Console.
- Step 2: Go to the CloudTrail service.
- Step 3: Click on “Trails” in the left navigation pane.
- Step 4: Click on “Create trail”.
- Step 5: Provide a name for the trail and choose the appropriate settings (e.g., log file validation, S3 bucket for storing logs).
- Step 6: Under the “Management events” section, enable logging for IAM events.
- Step 7: Click on “Create”.
- Step 8: Once the trail is created, go to the IAM service.
- Step 9: Click on “Policies” in the left navigation pane.
- Step 10: Create a new IAM policy that allows the necessary permissions for accessing and reading the CloudTrail logs.
Using CLI
-
Ensure IAM users have strong passwords:
- Use the
update-login-profilecommand to set a strong password for an IAM user:aws iam update-login-profile --user-name <IAM_USER_NAME> --password <NEW_PASSWORD> --password-reset-required
- Use the
-
Enable multi-factor authentication (MFA) for IAM users:
- Use the
enable-mfa-devicecommand to enable MFA for an IAM user:aws iam enable-mfa-device --user-name <IAM_USER_NAME> --serial-number <MFA_DEVICE_SERIAL_NUMBER> --authentication-code1 <CODE1> --authentication-code2 <CODE2>
- Use the
-
Remove unnecessary IAM access keys:
- Use the
delete-access-keycommand to delete an IAM access key:aws iam delete-access-key --user-name <IAM_USER_NAME> --access-key-id <ACCESS_KEY_ID>
- Use the
Using Python
- Ensure IAM users have strong passwords:
- Use the
boto3library in Python to retrieve a list of IAM users. - For each user, check if their password meets the desired complexity requirements (e.g., minimum length, use of uppercase, lowercase, numbers, and special characters).
- If a user’s password does not meet the requirements, use the
update_login_profilemethod to force a password reset for that user.
- Use the
import boto3
def enforce_password_policy():
iam_client = boto3.client('iam')
users = iam_client.list_users()['Users']
for user in users:
password_policy = iam_client.get_account_password_policy()
password_requirements = password_policy['PasswordPolicy']
if not password_requirements['RequireUppercaseCharacters']:
# Implement your logic to enforce uppercase characters requirement
pass
if not password_requirements['RequireLowercaseCharacters']:
# Implement your logic to enforce lowercase characters requirement
pass
if not password_requirements['RequireNumbers']:
# Implement your logic to enforce numbers requirement
pass
if not password_requirements['RequireSymbols']:
# Implement your logic to enforce special characters requirement
pass
if password_requirements['MinimumPasswordLength'] < 8:
# Implement your logic to enforce minimum password length requirement
pass
# Use the update_login_profile method to force a password reset for the user if needed
# iam_client.update_login_profile(UserName=user['UserName'], PasswordResetRequired=True)
- Monitor and log IAM activity:
- Use the
boto3library in Python to enable CloudTrail for the AWS account. - Configure CloudTrail to log IAM events by specifying the appropriate resource ARNs and event types.
- Use the
boto3library to retrieve and analyze the CloudTrail logs for IAM-related events.
- Use the
import boto3
def enable_cloudtrail():
cloudtrail_client = boto3.client('cloudtrail')
# Enable CloudTrail for the AWS account
cloudtrail_client.create_trail(
Name='MyCloudTrail',
S3BucketName='my-cloudtrail-bucket',
IsMultiRegionTrail=True
)
# Configure CloudTrail to log IAM events
cloudtrail_client.update_trail(
Name='MyCloudTrail',
IncludeGlobalServiceEvents=True,
DataEvents=[
{
'ReadWriteType': 'All',
'Resources': [
'arn:aws:iam::123456789012:user/*',
'arn:aws:iam::123456789012:role/*'
]
}
]
)
def analyze_cloudtrail_logs():
cloudtrail_client = boto3.client('cloudtrail')
# Retrieve CloudTrail logs for IAM-related events
response = cloudtrail_client.lookup_events(
LookupAttributes=[
{
'AttributeKey': 'EventName',
'AttributeValue': 'CreateUser'
}
]
)
# Analyze the CloudTrail logs for IAM-related events
for event in response['Events']:
# Implement your logic to analyze the event data
pass
- Implement least privilege access:
- Use the
boto3library in Python to retrieve a list of IAM roles and their associated policies. - For each role, analyze the policies to identify any overly permissive permissions.
- Modify the policies to enforce least privilege access by removing unnecessary permissions.
- Use the
import boto3
def enforce_least_privilege():
iam_client = boto3.client('iam')
roles = iam_client.list_roles()['Roles']
for role in roles:
role_name = role['RoleName']
role_policies = iam_client.list_role_policies(RoleName=role_name)['PolicyNames']
for policy_name in role_policies:
policy_document = iam_client.get_role_policy(RoleName=role_name, PolicyName=policy_name)['PolicyDocument']
# Implement your logic to analyze the policy document and remove unnecessary permissions
pass
Please note that the provided Python scripts are just examples and may require customization based on your specific requirements and environment.