Severity : Medium
Description:
...
This control ensures that IAM roles policy which allows to assume roles are not very permissive and follow the principal of least privilege to perform the tasks. IAM role with right permission significantly reduce the unauthorized access to resources. IAM role policies which allows all actions with action statement with wildcard (*) or IAM::* , with action statement with sts:AssumeRole and principal statement as AWS::”*”, with action statement IAM::PassRole and resources statement with wildcard(*) are too permissive and must be updated to specific actions.
Remediation Steps:
Perform following to update the custom managed IAM role policies :
Login to the AWS Management Console at https://console.aws.amazon.com.
Navigate to IAM console.
In the navigation pane, click Roles.
Select the roles reported.
Choose Permission.
Under Managed Policy, open the policy to edit.
On Policy Details, select Policy Document and click Edit.
Update the policy by replacing the wildcard(*) in Action with specific action, resources for specific resources, Principal with selected principal or a conditional statement for principal.
Select validate Policy.
Choose Save.
Important:
Reference: