AWS_IAM_17

Ensure IAM Master and IAM Manager roles are active

Description

Ensure IAM Master and IAM Manager roles are in place for IAM administration and assignment of administrative permissions for other services to other roles. An IAM role is conceptually “a container of permissions resembling a user account which cannot be directly logged into, but which must instead be assumed from an existing user account which has appropriate permissions to do so”, in the manner of roles in Unix Role- Based Access Control (RBAC). In AWS, roles can also be assigned to EC2 instances and Lambda functions. Control over IAM, which is also defined and mediated by a number of fine-grained permissions, should be divided between a number of roles, such that no individual user in a production account has full control over IAM.

Remediation

Using the Amazon unified CLI, from a user or role which has the iam:CreateRole,
iam:CreatePolicy and iam:PutRolePolicy permissions:


aws iam create-role –role-name <iam_manager_role_name>
aws iam create-role –role-name <iam_master_role_name>


aws iam put-role-policy –role-name <iam_manager_role_name> –policy-name
<iam_manager_permissions_policy> –policy-document file://IAM-Manager-policy.json
aws iam put-role-policy –role-name <iam_master_role_name> –policy-name
<iam_master_permissions_policy> –policy-document file://IAM-Master-policy.json


where IAM-Master-policy.json contains:


{
Version”: “2012-10-17”,
“Statement”: [{
“Action”: [
&ldquo

Service

IAM

Severity

Low

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!