Policy: AWS > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full ":" administrative privileges are not attached

Configures auditing against a CIS Benchmark item.

Level: 1

IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege - that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.

Note: This control does not evaluate AWS managed IAM policies since they are not available in Turbot CMDB.

Resource Types

This policy targets the following resource types:

AWS > IAM > Policy

Primary Policy

This policy is used with the following primary policy:

AWS > CIS v2.0 > 1 - Identity and Access Management

Controls

Policy Specification

Schema Type	`string`
Default	`Per AWS > CIS v2.0 > 1 - Identity and Access Management`
Valid Values [YAML]	`Per AWS > CIS v2.0 > 1 - Identity and Access Management` `Skip` `Check: Benchmark`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/v0704

Policy Type URI

tmod:@turbot/aws-cisv2-0#/policy/types/r0116

GraphQL

query policyType(id: "tmod:@turbot/aws-cisv2-0#/policy/types/r0116") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/aws-cisv2-0#/policy/types/r0116'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/aws-cisv2-0#/policy/types/r0116'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/aws-cisv2-0#/policy/types/r0116"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/aws-cisv2-0#/policy/types/r0116"

Policy: AWS > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full "*:*" administrative privileges are not attached