Ensure no IAM AWS-managed policies grant full administrative access
Why this matters
IAM (Identity and Access Management) policies define what actions users, roles, or groups can take in your AWS environment. Granting full administrative access (e.g., "Action": "*"
and "Resource": "*"
in combination with "Effect": "Allow"
) to users via AWS-managed policies contradicts the principle of least privilege.
Such broad permissions can allow accidental or malicious changes to critical systems, data leaks, and full service disruption. Using narrowly scoped, custom policies helps reduce the attack surface and prevent privilege misuse.
AWS-managed policies like
AdministratorAccess
should only be used in rare, tightly-controlled scenarios. Avoid using them for routine access.
What this check does
This check scans all IAM users, groups, and roles for AWS-managed policies that grant full administrative access.
The check fails if:
Any entity (user, group, or role) has an attached AWS-managed policy that provides "Action": "*"
permissions.
It passes if:
No such AWS-managed admin policy is found.
How to fix it
From the AWS Console
Sign in to the IAM Console
In the left menu, go to Policies
Search for AdministratorAccess
or any policy flagged in the check
Open the policy and view Attached entities
For each attached User, Group, or Role:\n - Click Detach policy
(Optional but recommended) After detaching, select the policy and click Delete to prevent future use
From the AWS CLI
# List attached entities aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess # Detach from a user aws iam detach-user-policy --user-name <username> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess # Detach from a group aws iam detach-group-policy --group-name <groupname> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess # Detach from a role aws iam detach-role-policy --role-name <rolename> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
Replace
<username>
,<groupname>
, and<rolename>
with the actual entity names from your environment.
Exceptions
If full administrative access is required for a break-glass or emergency account, it must be:
Clearly documented
Monitored (e.g., with CloudTrail alerts)
Not assigned to day-to-day user roles
Protected by MFA and audit logging