Severity : MediumDescription : Admins in an account should be assumed by people. This rule detects IAM Roles that can be granted to EC2s and other services, that has admin privileges.Critical
Description: This control ensures that there are no IAM policies exists that allows full administrative privileges. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions. Policies that have a statement with "Effect": "Allow" with Admin privilege should be updated to allow limited actions. Best security practice recommend using least privilege or only the permission required to perform the task.
Remediation Steps:
Perform following to update IAM policy for IAM user :
Login to the AWS Management Console at https://console.aws.amazon.com.
Navigate to IAM console.
In the navigation pane, choose Policies.
Select the check box next to the customer managed policy reported or Filter menu and the search box to filter the list of policies.
Choose the Permissions tab, and then choose Edit policy.
Edit the policy Action statement to least privilege actions or specific action in place of wildcard(*).
Edit the policy Resources statement to specific resources in place of wildcard(*).
Choose Review Policy.
Choose Save changes on review page.
Important:
Reference:
CIS Amazon Web Services Foundations Benchmark v1.3.0 - 08-07-2020: Recommendation #1.16