SetDefaultPolicyVersion
Event Information
- The SetDefaultPolicyVersion event in AWS for IAM refers to the action of setting a specific policy version as the default version for a particular IAM policy.
- When this event occurs, it means that the default version of the policy has been updated, and any new IAM roles or users that are assigned this policy will automatically use the newly set default version.
- This event is useful for managing and controlling the access and permissions of IAM entities, as it allows for the easy management of policy versions and ensures that the most up-to-date version is being used by default.
Examples
-
Unauthorized access: If the SetDefaultPolicyVersion operation is misconfigured or misused, it can potentially grant unauthorized access to resources within the AWS account. This can lead to data breaches, unauthorized modifications, or other security incidents.
-
Privilege escalation: If an attacker gains access to an IAM user or role with permissions to modify the default policy version, they can potentially escalate their privileges by modifying the policy to grant themselves additional permissions. This can result in unauthorized access to sensitive resources or actions within the AWS account.
-
Policy misconfiguration: If the default policy version is set incorrectly or without proper consideration of security best practices, it can lead to policy misconfigurations. These misconfigurations can inadvertently grant excessive permissions to users or roles, increasing the attack surface and potentially compromising the security of the AWS account.
Remediation
Using Console
-
Example 1: Enforce strong password policy for IAM users
- Step 1: Login to the AWS Management Console.
- Step 2: Go to the IAM service.
- Step 3: Click on “Account settings” in the left navigation pane.
- Step 4: Under the “Password policy” section, click on “Edit”.
- Step 5: Enable the “Require at least one uppercase letter” option.
- Step 6: Enable the “Require at least one lowercase letter” option.
- Step 7: Enable the “Require at least one number” option.
- Step 8: Enable the “Require at least one non-alphanumeric character” option.
- Step 9: Set the “Minimum password length” to an appropriate value.
- Step 10: Click on “Apply password policy”.
-
Example 2: Enable multi-factor authentication (MFA) for IAM users
- Step 1: Login to the AWS Management Console.
- Step 2: Go to the IAM service.
- Step 3: Click on “Users” in the left navigation pane.
- Step 4: Select the IAM user for which you want to enable MFA.
- Step 5: Click on the “Security credentials” tab.
- Step 6: Under the “Multi-factor authentication (MFA)” section, click on “Manage”.
- Step 7: Click on “Activate MFA”.
- Step 8: Choose the appropriate MFA device option (e.g., virtual MFA device, hardware MFA device).
- Step 9: Follow the on-screen instructions to set up the MFA device.
- Step 10: Click on “Assign MFA”.
-
Example 3: Enable AWS CloudTrail for logging IAM events
- Step 1: Login to the AWS Management Console.
- Step 2: Go to the CloudTrail service.
- Step 3: Click on “Trails” in the left navigation pane.
- Step 4: Click on “Create trail”.
- Step 5: Provide a name for the trail and choose the appropriate settings (e.g., log file validation, S3 bucket for storing logs).
- Step 6: Under the “Management events” section, enable logging for IAM events.
- Step 7: Click on “Create”.
- Step 8: Once the trail is created, go to the IAM service.
- Step 9: Click on “Policies” in the left navigation pane.
- Step 10: Create a new IAM policy that allows the necessary CloudTrail actions and attach it to the IAM users or groups that require access to CloudTrail logs.
Using CLI
-
Ensure IAM users have strong passwords:
- Use the
update-login-profile
command to set a strong password for an IAM user:aws iam update-login-profile --user-name <IAM_USER_NAME> --password <NEW_PASSWORD> --password-reset-required
- Use the
-
Enable multi-factor authentication (MFA) for IAM users:
- Use the
enable-mfa-device
command to enable MFA for an IAM user:aws iam enable-mfa-device --user-name <IAM_USER_NAME> --serial-number <MFA_DEVICE_SERIAL_NUMBER> --authentication-code1 <CODE1> --authentication-code2 <CODE2>
- Use the
-
Remove unnecessary IAM access keys:
- Use the
delete-access-key
command to delete an IAM access key:aws iam delete-access-key --user-name <IAM_USER_NAME> --access-key-id <ACCESS_KEY_ID>
- Use the
Using Python
-
Ensure IAM users have strong passwords:
- Use the
boto3
library in Python to retrieve a list of IAM users. - For each user, check if their password meets the desired complexity requirements (e.g., minimum length, use of uppercase, lowercase, numbers, and special characters).
- If a user’s password does not meet the requirements, use the
update_login_profile
method to update the user’s password with a randomly generated strong password.
import boto3 import string import random def generate_password(length=12): characters = string.ascii_letters + string.digits + string.punctuation return ''.join(random.choice(characters) for _ in range(length)) def remediate_weak_passwords(): iam_client = boto3.client('iam') users = iam_client.list_users()['Users'] for user in users: if not is_password_strong(user['UserName']): new_password = generate_password() iam_client.update_login_profile( UserName=user['UserName'], Password=new_password, PasswordResetRequired=True ) print(f"Updated password for user {user['UserName']}") remediate_weak_passwords()
- Use the
-
Enable multi-factor authentication (MFA) for IAM users:
- Use the
boto3
library in Python to retrieve a list of IAM users. - For each user, check if MFA is already enabled. If not, use the
enable_mfa
method to enable MFA for the user.
import boto3 def enable_mfa_for_users(): iam_client = boto3.client('iam') users = iam_client.list_users()['Users'] for user in users: mfa_devices = iam_client.list_mfa_devices(UserName=user['UserName'])['MFADevices'] if not mfa_devices: iam_client.enable_mfa( UserName=user['UserName'], SerialNumber='arn:aws:iam::123456789012:mfa/user', AuthenticationCode1='123456', AuthenticationCode2='789012' ) print(f"Enabled MFA for user {user['UserName']}") enable_mfa_for_users()
- Use the
-
Remove unused IAM access keys:
- Use the
boto3
library in Python to retrieve a list of IAM users. - For each user, check if they have any access keys that are not used recently.
- If an access key is not used recently, use the
delete_access_key
method to delete the access key.
import boto3 from datetime import datetime, timedelta def remove_unused_access_keys(): iam_client = boto3.client('iam') users = iam_client.list_users()['Users'] for user in users: access_keys = iam_client.list_access_keys(UserName=user['UserName'])['AccessKeyMetadata'] for access_key in access_keys: last_used = iam_client.get_access_key_last_used(AccessKeyId=access_key['AccessKeyId']) if 'LastUsedDate' in last_used and last_used['LastUsedDate'] < datetime.now() - timedelta(days=90): iam_client.delete_access_key( UserName=user['UserName'], AccessKeyId=access_key['AccessKeyId'] ) print(f"Deleted unused access key {access_key['AccessKeyId']} for user {user['UserName']}") remove_unused_access_keys()
- Use the