IAM Managed Policies Should Be Attached To IAM Role

1. Review Existing IAM Roles:
   • Navigate to the IAM Dashboard in the AWS Management Console.
   • Click on “Roles” in the left-hand menu.
   • Review the list of existing roles and identify any custom roles that have policies attached.
2. Restrict Creation of Custom Roles:
   • Go to the “Policies” section in the IAM Dashboard.
   • Create or update a policy that restricts the creation of custom roles.
   • Attach this policy to IAM users or groups that should not have the ability to create custom roles.
3. Enable AWS Config Rules:
   • Navigate to the AWS Config service in the AWS Management Console.
   • Set up AWS Config rules to monitor IAM role configurations.
   • Enable rules such as “iam-role-managed-policy-check” to ensure that only managed policies are attached to roles.
4. Set Up CloudWatch Alarms:
   • Go to the CloudWatch service in the AWS Management Console.
   • Create a new alarm that triggers on specific IAM events, such as the creation of a custom role.
   • Configure the alarm to send notifications to administrators for immediate review and action.

1. List Existing IAM Roles: First, identify all the IAM roles in your AWS account to ensure you know which roles are currently configured.
   Copy

   Ask AI

   aws iam list-roles
   

2. Check for Custom Policies Attached to Roles: For each role, check if there are any custom policies attached. This will help you identify roles that might have custom policies.
   Copy

   Ask AI

   aws iam list-role-policies --role-name <role-name>
   

3. Detach Custom Policies from Roles: If you find any custom policies attached to a role, detach them to ensure that no custom policies are present.
   Copy

   Ask AI

   aws iam delete-role-policy --role-name <role-name> --policy-name <policy-name>
   

4. Enforce Use of Managed Policies: Ensure that roles only use AWS managed policies or predefined policies by attaching them to the roles.
   Copy

   Ask AI

   aws iam attach-role-policy --role-name <role-name> --policy-arn <arn:aws:iam::aws:policy/<policy-name>>
   

1. Set Up Environment and Install Required Libraries:
   • Ensure you have the necessary SDKs installed for AWS, Azure, and GCP.
   • For AWS, use boto3.
   • For Azure, use azure-identity and azure-mgmt-authorization.
   • For GCP, use google-cloud-iam.
2. Authenticate and Initialize Clients:
   • Authenticate and initialize the respective clients for AWS, Azure, and GCP.
3. Check for Existing Custom Roles:
   • Write scripts to list and check for existing custom roles in each cloud environment.
4. Prevent Creation of Custom Roles:
   • Implement logic to prevent the creation of custom roles by monitoring and intercepting role creation requests.

​

AWS (Using boto3)

import boto3

# Initialize IAM client
iam_client = boto3.client('iam')

# List all custom roles
def list_custom_roles():
    roles = iam_client.list_roles()
    custom_roles = [role for role in roles['Roles'] if 'AWS' not in role['Arn']]
    return custom_roles

# Prevent creation of custom roles
def prevent_custom_roles():
    custom_roles = list_custom_roles()
    if custom_roles:
        print("Custom roles detected. Preventing creation of new custom roles.")
        # Implement logic to prevent creation of new custom roles
        # This could involve setting up IAM policies or alerts

prevent_custom_roles()

​

Azure (Using azure-identity and azure-mgmt-authorization)

from azure.identity import DefaultAzureCredential
from azure.mgmt.authorization import AuthorizationManagementClient

# Initialize Azure client
credential = DefaultAzureCredential()
subscription_id = 'your_subscription_id'
auth_client = AuthorizationManagementClient(credential, subscription_id)

# List all custom roles
def list_custom_roles():
    custom_roles = []
    for role in auth_client.role_definitions.list(scope='/subscriptions/' + subscription_id):
        if role.role_type == 'CustomRole':
            custom_roles.append(role)
    return custom_roles

# Prevent creation of custom roles
def prevent_custom_roles():
    custom_roles = list_custom_roles()
    if custom_roles:
        print("Custom roles detected. Preventing creation of new custom roles.")
        # Implement logic to prevent creation of new custom roles
        # This could involve setting up policies or alerts

prevent_custom_roles()

​

GCP (Using google-cloud-iam)

from google.cloud import iam_v1
from google.oauth2 import service_account

# Initialize GCP IAM client
credentials = service_account.Credentials.from_service_account_file('path_to_your_service_account_key.json')
iam_client = iam_v1.IAMClient(credentials=credentials)

# List all custom roles
def list_custom_roles():
    custom_roles = []
    project_id = 'your_project_id'
    roles = iam_client.list_roles(parent=f'projects/{project_id}')
    for role in roles:
        if role.stage == iam_v1.Role.Stage.CUSTOM:
            custom_roles.append(role)
    return custom_roles

# Prevent creation of custom roles
def prevent_custom_roles():
    custom_roles = list_custom_roles()
    if custom_roles:
        print("Custom roles detected. Preventing creation of new custom roles.")
        # Implement logic to prevent creation of new custom roles
        # This could involve setting up policies or alerts

prevent_custom_roles()

​

Summary

1. Set Up Environment and Install Required Libraries: Ensure you have the necessary SDKs installed.
2. Authenticate and Initialize Clients: Authenticate and initialize the respective clients for AWS, Azure, and GCP.
3. Check for Existing Custom Roles: Write scripts to list and check for existing custom roles in each cloud environment.
4. Prevent Creation of Custom Roles: Implement logic to prevent the creation of custom roles by monitoring and intercepting role creation requests.