Ensure AWS IAM managed policies do not have 'getObject' or full S3 action permissions

Risk Level: High
IAM Policy
Rule ID: D9.AWS.IAM.71
Category: Security, Identity, & Compliance
Ensuring AWS IAM managed policies do not have 'getObject' or full S3 action permissions, prevents potential Amazon S3 data exfiltration or manipulation.

gsl logic

IamPolicy where name regexMatch /AWS/ should not have document.Statement contain [ Effect='Allow' and (Action='S3:*' or Action='s3:getObject') ]

Dome9 rules are powered by the Governance Specification Language (GSL). GSL allows our customers to write and run custom security and compliance checks that can be easily read

Learn more:
Compliance Engine
GSL Language

Remediation


Note: AWS managed policies cannot be deleted.

From Portal:
1. Go to 'IAM'
2. In the menu, under 'Access management', choose 'Policies'
3. For each incompliant policy, make sure there are no IAM entities attached to it:
4. Choose the incompliant policy
5. Under 'Policy usage', detach any IAM entity attached to it

From Command Line:
To remove the specified managed policy from a specified user, run:

aws iam detach-user-policy --user-name USER-NAME --policy-arn POLICY-ARN

To remove the specified managed policy from a specified IAM group, run:

aws iam detach-group-policy --group-name GROUP-NAME --policy-arn POLICY-ARN

To remove the specified managed policy from a specified role., run:

aws iam detach-role-policy --role-name ROLE-NAME --policy-arn POLICY-ARN


References:
1. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies
2. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-delete.html
3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/detach-user-policy.html
4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/detach-group-policy.html
5. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/detach-role-policy.html

Related Links:
Policies and Permissions

IAM Policy

You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents.

Compliance Frameworks

BP_0318