AWS-006 Amazon Web Services (AWS)

No IAM identity has unrestricted administrator (:) policies beyond a justified few.

No IAM identity has unrestricted administrator (*:*) policies beyond a justified few.

Domain: Amazon Web Services (AWS)
Area: IAM
Automated / manual: Automated

Risk if it fails

Over-permissioned identities maximise blast radius.

If everyone is an admin, compromising any one account compromises everything. Attackers specifically hunt for the most powerful identity they can find.

How Tess tests it

1 test — each concludes only on cited evidence.

No IAM identity has unrestricted administrator (:) policies beyond a justified few.

Automated

Procedure: Enumerate attached/inline policies and flag any granting Action '*' on Resource '*'.

Read-only command

aws iam list-policies --scope Local --query 'Policies[].Arn' --output text | xargs -n1 -I{} aws iam get-policy-version --policy-arn {} --version-id v1

More in Amazon Web Services (AWS)

AWS-001 Root account MFA is enabled. AWS-002 No access keys exist on the root account. AWS-003 Root account is not used for day-to-day activity. AWS-004 Strong IAM password policy is enforced.

Want Tess to test AWS-006 against your evidence?

Book a demo