AWS-IAM-Admin-Privilege-Custom-Policy

Severity : Low

Description: This control ensures that a custom managed policy is not created with full administrator access as AWS managed AdministratorAccess policy. AWS managed policies are designed to provide permissions for many common use cases. AWS managed policies make it easier to assign appropriate permissions to users, groups, and roles than Custom Managed policies. IAM AdministratorAccess job function policies provides full access and permissions delegation to every service and resource in AWS. Its recommend that this policy is used only for the account administrator. Instead of using the AWS managed policy, a custom policy created does the same thing, or allows escalation of the misconfiguration.

Remediation Steps:

Perform following to delete Custom IAM policy :

1. Login to the AWS Management Console at https://console.aws.amazon.com as root user.

2. Navigate to IAM console.

3. In the navigation pane, choose Policies.

4. Select the check box next to the customer managed policy to delete.

5. Choose Actions, and then choose Delete.

6. Confirm that you want to delete the policy, and then choose Delete.

Important:

• Deleting the custom admin privilege policy will remove the admin access from users which are assigned the policy. If those users need the AdministratorAccess, attach AWS managed policy to the user to assign admin privilege.

Reference:

• Delete IAM policies - AWS Identity and Access Management

• Managed policies and inline policies - AWS Identity and Access Management