1. Log in to the AWS Management Console (https://console.aws.amazon.com/).
2. Navigate to the IAM service by searching for “IAM” in the AWS services search bar and selecting “IAM” from the results.
3. In the IAM console, click on “Roles” in the left-hand menu.
4. Review the list of roles and identify the roles that have infrastructure modification capabilities. These roles typically have policies attached that grant permissions to modify resources such as EC2 instances, S3 buckets, or VPC configurations.
5. Click on the role that has the misconfiguration to view its details.
6. In the “Permissions” tab, review the policies attached to the role. Look for policies that grant broad or excessive permissions related to infrastructure modification.
7. Identify the specific actions or services that the role should not have access to modify and note them down for later reference.
8. Click on the “Policy” name to view the policy document.
9. In the policy document, locate the specific statements that grant the undesired infrastructure modification capabilities.
10. Edit the policy document by removing or modifying the statements that grant the undesired permissions. Ensure that you only remove the necessary permissions to remediate the misconfiguration.
11. After making the necessary changes, click on the “Review policy” button to validate the policy syntax and save the changes.
12. Review the updated policy to ensure it aligns with the desired permissions and does not grant any unnecessary infrastructure modification capabilities.
13. Repeat steps 5-12 for all roles that have the misconfiguration, ensuring that each role’s policy is appropriately modified.
14. Once you have remediated all the roles, perform a thorough review to ensure that the roles now have the correct and desired permissions.
15. Monitor the roles periodically to ensure that the misconfiguration does not reoccur and that any changes made align with the organization’s security and compliance requirements.

​

1. Open the AWS CLI on your local machine.
2. Run the following command to list all the IAM users in your AWS account:
   Copy

   Ask AI

   aws iam list-users
   

3. Identify the users who have infrastructure modification capabilities. These users might have IAM policies attached to them that grant them excessive permissions.
4. Run the following command to list the attached policies for a specific user (replace <user-name> with the actual username):
   Copy

   Ask AI

   aws iam list-attached-user-policies --user-name <user-name>
   

5. Review the output and identify the policies that grant infrastructure modification capabilities. Take note of the policy names.
6. Run the following command to view the details of a specific policy (replace <policy-arn> with the actual ARN of the policy):
   Copy

   Ask AI

   aws iam get-policy --policy-arn <policy-arn>
   

7. Review the policy document returned in the output. Look for statements that grant infrastructure modification capabilities, such as ec2:*, s3:*, rds:*, etc.
8. Once you have identified the policies that need to be modified, create new policies with more restricted permissions. You can use the AWS Policy Generator (https://awspolicygen.s3.amazonaws.com/policygen.html) to help you create the updated policies.
9. After creating the updated policies, run the following command to attach the updated policies to the user (replace <user-name> and <policy-arn> with the actual values):
   Copy

   Ask AI

   aws iam attach-user-policy --user-name <user-name> --policy-arn <policy-arn>
   

10. Repeat steps 4-9 for each user with infrastructure modification capabilities, ensuring that you attach the updated policies to them.
11. Finally, retest the access of the users to verify that they no longer have excessive permissions for infrastructure modification.

1. Identify the IAM users or roles that have infrastructure modification capabilities. These capabilities include actions like CreateStack, DeleteStack, UpdateStack, CreateBucket, DeleteBucket, etc.
2. Use the AWS SDK for Python (Boto3) to create a Python script that will remove the infrastructure modification capabilities from the identified principals.
3. Install the Boto3 library by running the following command:
   Copy

   Ask AI

   pip install boto3
   

4. Configure your AWS credentials by either setting environment variables or using the AWS CLI aws configure command.
5. Import the necessary libraries in your Python script:
   Copy

   Ask AI

   import boto3
   

6. Create an AWS IAM client using Boto3:
   Copy

   Ask AI

   iam_client = boto3.client('iam')
   

7. Retrieve a list of all IAM users and roles:
   Copy

   Ask AI

   response = iam_client.list_users()
   users = response['Users']
   
   response = iam_client.list_roles()
   roles = response['Roles']
   

8. Iterate through the list of users and roles to identify the ones with infrastructure modification capabilities. You can use the list_attached_user_policies and list_attached_role_policies methods to get the policies attached to each user or role:
   Copy

   Ask AI

   for user in users:
       response = iam_client.list_attached_user_policies(UserName=user['UserName'])
       attached_policies = response['AttachedPolicies']
       # Check if any of the attached policies contain infrastructure modification capabilities
       # If found, remove the policy from the user using the detach_user_policy method
   
   for role in roles:
       response = iam_client.list_attached_role_policies(RoleName=role['RoleName'])
       attached_policies = response['AttachedPolicies']
       # Check if any of the attached policies contain infrastructure modification capabilities
       # If found, remove the policy from the role using the detach_role_policy method
   

9. Save the script and execute it. It will remove the infrastructure modification capabilities from the identified IAM users and roles.
10. Monitor the execution and verify that the infrastructure modification capabilities have been successfully removed from the principals.