Event Information

  • The DeleteRole event in AWS for IAM refers to the action of deleting an IAM role.
  • When this event occurs, it means that a specific IAM role has been removed from the AWS account.
  • This event is important for auditing and tracking purposes, as it helps to monitor changes made to IAM roles and ensure proper access management within the AWS environment.

Examples

  • Unauthorized deletion of a role: If security is impacted with DeleteRole in AWS for IAM, one example could be an unauthorized user gaining access to the IAM console or API and deleting a role that is critical for the security of the AWS environment. This could lead to a loss of access control and potential unauthorized access to resources.

  • Removal of role permissions: Another example could be a user mistakenly deleting a role that is associated with multiple permissions and policies. This could result in the removal of those permissions from all the entities that were relying on the role, potentially causing disruptions in the system and compromising security.

  • Impact on resource dependencies: Deleting a role without considering its dependencies can have unintended consequences. For instance, if a role is being used by an EC2 instance or an AWS Lambda function, deleting the role could lead to those resources losing necessary permissions and failing to function properly. This could impact the security and availability of the affected resources.

Remediation

Using Console

  1. Example 1: Enforce strong password policy for IAM users

    • Step 1: Login to the AWS Management Console.
    • Step 2: Go to the IAM service.
    • Step 3: Click on “Account settings” in the left navigation pane.
    • Step 4: Under the “Password policy” section, click on “Edit”.
    • Step 5: Enable the “Require at least one uppercase letter” option.
    • Step 6: Enable the “Require at least one lowercase letter” option.
    • Step 7: Enable the “Require at least one number” option.
    • Step 8: Enable the “Require at least one non-alphanumeric character” option.
    • Step 9: Set the “Minimum password length” to an appropriate value.
    • Step 10: Click on “Apply password policy”.

  2. Example 2: Enable multi-factor authentication (MFA) for IAM users

    • Step 1: Login to the AWS Management Console.
    • Step 2: Go to the IAM service.
    • Step 3: Click on “Users” in the left navigation pane.
    • Step 4: Select the IAM user for which you want to enable MFA.
    • Step 5: Click on the “Security credentials” tab.
    • Step 6: Under the “Multi-factor authentication (MFA)” section, click on “Manage”.
    • Step 7: Click on “Activate MFA”.
    • Step 8: Choose the appropriate MFA device option (e.g., virtual MFA device, hardware MFA device).
    • Step 9: Follow the on-screen instructions to set up the MFA device.
    • Step 10: Click on “Assign MFA”.

  3. Example 3: Enable AWS CloudTrail for logging IAM events

    • Step 1: Login to the AWS Management Console.
    • Step 2: Go to the CloudTrail service.
    • Step 3: Click on “Trails” in the left navigation pane.
    • Step 4: Click on “Create trail”.
    • Step 5: Provide a name for the trail and choose the appropriate settings (e.g., log file validation, S3 bucket for storing logs).
    • Step 6: Under the “Management events” section, enable logging for IAM events.
    • Step 7: Click on “Create”.
    • Step 8: Once the trail is created, go to the IAM service.
    • Step 9: Click on “Policies” in the left navigation pane.
    • Step 10: Create a new IAM policy that allows the necessary CloudTrail actions and attach it to the IAM users or groups that require access to CloudTrail logs.

Using CLI

  1. Ensure IAM users have strong passwords:
  • Use the update-login-profile command to enforce a strong password policy for IAM users: 
    aws iam update-login-profile --user-name <user-name> --password <new-password> --password-reset-required
  1. Enable multi-factor authentication (MFA) for IAM users:
  • Use the enable-mfa-device command to enable MFA for an IAM user: 
    aws iam enable-mfa-device --user-name <user-name> --serial-number <mfa-serial-number> --authentication-code1 <code1> --authentication-code2 <code2>
  1. Rotate access keys regularly:
  • Use the create-access-key command to generate a new access key for an IAM user: 
    aws iam create-access-key --user-name <user-name>
  • Use the delete-access-key command to delete the old access key: 
    aws iam delete-access-key --user-name <user-name> --access-key-id <access-key-id>

Using Python

  1. Ensure IAM users have strong passwords:
    • Use the boto3 library in Python to retrieve a list of IAM users.
    • For each user, check if their password meets the desired complexity requirements (e.g., minimum length, use of special characters, etc.).
    • If a user’s password does not meet the requirements, use the update_login_profile method to force a password reset for that user.
import boto3

def enforce_strong_passwords():
    iam_client = boto3.client('iam')
    users = iam_client.list_users()['Users']
    
    for user in users:
        response = iam_client.get_login_profile(UserName=user['UserName'])
        if 'LoginProfile' in response:
            password = response['LoginProfile'].get('PasswordResetRequired')
            # Check password complexity requirements
            if not is_password_strong(password):
                iam_client.update_login_profile(UserName=user['UserName'], PasswordResetRequired=True)
  1. Enable multi-factor authentication (MFA) for IAM users:
    • Use the boto3 library in Python to retrieve a list of IAM users.
    • For each user, check if MFA is already enabled.
    • If MFA is not enabled, use the enable_mfa method to enable it for that user.
import boto3

def enable_mfa_for_users():
    iam_client = boto3.client('iam')
    users = iam_client.list_users()['Users']
    
    for user in users:
        response = iam_client.list_mfa_devices(UserName=user['UserName'])
        if not response['MFADevices']:
            iam_client.enable_mfa(UserName=user['UserName'])
  1. Monitor and rotate IAM access keys:
    • Use the boto3 library in Python to retrieve a list of IAM users.
    • For each user, check if they have any access keys.
    • If access keys are found, check their age and determine if they need to be rotated.
    • If rotation is required, use the create_access_key and delete_access_key methods to generate a new access key and delete the old one.
import boto3
from datetime import datetime, timedelta

def rotate_access_keys():
    iam_client = boto3.client('iam')
    users = iam_client.list_users()['Users']
    
    for user in users:
        response = iam_client.list_access_keys(UserName=user['UserName'])
        for access_key in response['AccessKeyMetadata']:
            key_id = access_key['AccessKeyId']
            create_date = access_key['CreateDate']
            if (datetime.now() - create_date) > timedelta(days=90):
                new_key = iam_client.create_access_key(UserName=user['UserName'])
                iam_client.delete_access_key(UserName=user['UserName'], AccessKeyId=key_id)