Automated IAM Provisioning leverages checks from AWS Identity and Access Management Access Analyzer, and performs additional checks and validations against the AMS boundary policy. AMS defined the additional checks and validations based on IAM best practices, experience operating customer workload in the cloud, and the collective AMS IAM manual evaluation experience.
You can view policy run-time check findings in the request for change (RFC) output. The findings include the resource identifier, location within the role and/or policy that generated the findings, and a message outlining the check that the IAM entity or resource failed to pass. These findings help you author policies that are functional and conform to security best practices.
Note
Automated IAM Provisioning attempts to be specific about the location within the entity or policy definition that fails to pass the check. Depending on the type, the location might include the resource name or ARN, or index within an array. For example, a statement to help you adjust the entity or policy for a successful outcome.
For a smooth AMS Automated IAM Provisioning experience, it's a best practice to use the “validate only” option to run the validation checks until there are no findings from the validation checks reported in the RFC outputs. When the validation checks report no findings, choose Create copy from the AMS Console to quickly create a copy of the existing RFC. When you are ready to provision, in the Parameters section, switch the Validate only value from Yes to No, and then proceed.
These are the run-time checks that AMS Automated IAM Provisioning performs to ensure that your IAM resources are secure:
Note
To provision IAM policies that contain actions denied by these automated change types, you must follow the RFC customer security risk management (CSRM) process. Use the following change type: Deployment | Advanced stack components | Identity and Access Management (IAM) | Create entity or policy (review required) (ct-3dpd8mdd9jn1r).
IAM Access Analyzer policy check and validation: See also Access Analyzer policy check reference and IAM Access Analyzer policy validation.
AMS permissions boundary policy checks: Actions on a set of services that are denied by default. For more information, see Automated IAM Provisioning permission boundary check.
Customer-defined permissions boundary policy checks: Additional restricted actions on a set of services that are denied. For more information, see Automated IAM Provisioning permission boundary check.
AMS-defined custom checks: Checks that identify various insecure and overly permissive policies or access patterns within a requested IAM entity or policy, and denies the request if found one. For for information, see AWS JSON policy elements: Principal.
| Finding | Description |
|---|---|
The role can be accessed from an external account that is outside of your zone of trust. |
This finding refers to a principal listed in the role trust policy that is outside of your zone of trust. A zone of trust is defined as the account where the role is being created or the AWS organization that the account belongs to. An entity that does not belong to the account or to the same AWS Organization is an external entity. To resolve the finding, review the account ID in the principal ARNs and make sure that they belong to you and is an AMS onboarded account. |
The role can be accessed by an external entity owned by account |
This finding is generated if the role trust policy includes a principal ARN that has an account ID not owned by you and an AMS onboarded account. To resolve this finding remove any such principal from the role trust policy. |
The canonical user ID is not a supported principal in IAM trust policy. |
Canonical principal IDs are not supported in IAM trust policy. To resolve the finding remove any such principal from the role trust policy. |
The role can be accessed by an external web identity that is outside of your zone of trust. |
This finding is generated if the role trust policy allows an external Web identity provider (IdP) other than SAML IdP. To resolve
this finding, review the role trust policy and remove statements that allow the |
The role can be accessed through SAML federation; however, the provided SAML identity provider (IdP) does not exist. |
This finding is generated if the role trust policy contains SAML IdP that does not exist in your account. To resolve ensure you all the listed SAML IdP exists in your account. |
Policy contains privileged actions equivalent to administrator or power user access. Consider reducing the permission scope to a specific service, action, or resource. If advanced policy elements such as NotAction or NotResource are used, make sure that they are not granting more access than you intend, particularly in Allow statements. |
It's a best security practice in AWS Identity and Access Management to grant only the permissions required to perform a task when you set permissions with IAM policies. Do this by defining the actions that can be taken on specific resources under specific conditions, also known as least-privilege permissions. This finding is generated when automation detects the policy grants broad permissions and does not adhere to the principle of least privilege. To resolve the finding, review and reduce the permissions. |
Statement contains privileged actions for |
AMS identified certain actions for a given service as risky and require further risk review and acceptance by the customer security team. This finding is generated when automation detects the given policy granting such permissions. To resolve this finding, deny these actions in your policy. For a list of actions refer to the AMS boundary policy. For details on AMS boundary policy, see AMS Automated IAM Provisioning permission boundary check. |
Statement grants access to privileged RFC Change Types: ct-1n9gfnog5x7fl, ct-1e0xmuy1diafq, and ct-17cj84y7632o6 for service |
This finding is generated if the policy grants permissions to perform RFC-related actions using Automated IAM Provisioning change types (CTs). The CTs are subject to risk acceptance and must only be used through onboarded roles. So, you can't granting permission to these CTs. To resolve this finding, deny RFC actions using these CTs. |
Statement contains privileged actions that are not scoped to your resources for service |
This finding is generated if the policy grants privileged actions that are not scoped to your resources of the given service. Wild cards often create overly permissive policies that bring a broad set of resources or actions into the permission's scope. To resolve the finding, either reduce the scope of permissions to resources you own or exclude resources that are in the AMS namespace. For a list of AMS namespace prefixes, see the boundary policy in AMS documentation. Note that not all prefixes apply to all services. For details on the AMS boundary policy, see AMS Automated IAM Provisioning permission boundary check. |
Invalid account Id or Amazon Resource Name (ARN). |
This finding is generated if any ARN or account ID specified in the policy or role trust policy is invalid. To review valid resource ARN's resources for services, see the Service Authorization Reference. Make sure that the account ID is a 12-digit number and that the account is active in AWS. |
Use of wildcard (*) for account id in ARN is restricted.. |
This finding is generated if a wild card (*) is specified in the account ID field of an ARN. A wild card in an account ID field matches any account and potentially grants unintended permission to resources. To resolve this, replace the wild card with a specific account ID. |
Specified resource account not owned by same AMS customer owning account |
This finding is generated if an account ID specified in a resource ARN does not belong to you and is not managed by AMS. To resolve this, make sure that all resources (as specified by their ARN in the policy) belong to your accounts that are managed by AMS. |
The role name is in AMS restricted namespace. |
This finding is generated if you try to create a role with a name that starts with an AMS reserved prefix. To resolve this, use a name for the role that is specific to your use case. For a list of AMS reserved prefixes, see AMS reserved prefixes |
The policy name is in AMS restricted namespace. |
This finding is generated if you try to create a policy with a name that starts with an AMS reserved prefix. To resolve this, use a name for the policy that is specific to your use case. For a list of AMS reserved prefixes, see AMS reserved prefixes. |
The resource ID in the ARN is in AMS restricted namespace. |
This finding is generated if you try to create a policy that grants permission to named resources that are in the AMS namespace. To resolve this, make sure that you scope the permissions to your resources or deny permissions to resources that are in the AMS namespace. For more information on AMS namespaces, see AMS restricted namespaces. |
Invalid policy variable case. Update the variable to |
This finding is generated if try to create a policy that contains an IAM global policy variable in the incorrect case. To resolve this, use the correct case for global variables in your policy. For a list of global variables, see AWS global condition context keys. For more information on the policy variables, see IAM policy elements: Variables and tags |
Statement contains privileged actions that are not scoped to your KMS keys. Consider scoping these permissions to specific keys or exclude AMS owned keys. |
This finding is generated if the policy contains permissions that are not scoped to specific KMS keys that you own. To resolve this, scope the permission to specific keys or exclude the keys that are AMS owned. AMS owned keys have specific alias sets. For a list of AMS owned key aliases, see AMS Automated IAM Provisioning permission boundary check. |
Statement contains privileged actions that are not scoped to your KMS keys aliases. Consider scoping these permissions to your keys or aliases, or exclude AMS-owned key aliases. |
This finding is generated if the policy contains permissions that are not scoped to specific KMS keys alias that you own. To resolve this, scope the permission to specific keys or exclude the keys that are AMS owned. AMS owned keys have specific alias sets. For a list of AMS owned key aliases, see AMS Automated IAM Provisioning permission boundary check. |
Statement contains privileged actions that are not adequately scoped to your KMS keys using the |
This finding is generated if you are scoping permissions to your KMS keys using conditions and not using |
The role must have customer_deny_policy attached. Include the policy ARN in the list of managed policy ARNs. |
This finding is generated if the role that you are creating does not have the |
The AWS managed policy is overly permissive or grants permissions restricted by AMS boundary policy. |
This finding is generated if the ManagedPolicyArns value for the role contains any AMS managed policy that provides full or administrator level access to the relevant service. To resolve this, review use of the AWS managed policy and use a policy that provides scope down permission or define your own policy that follows the principle of least privilege. |
The customer managed policy is in restricted AMS namespace. |
This finding is generated if any customer managed policy with name prefixed in the AWS namespace is attached to the role. To resolve this, remove the policy from the ManagedPolicyArn list for the role. |
The customer_deny_policy can not be detached from the role. Include the policy ARN in the list of managed policy ARNs. |
This finding is generated if the |
The customer managed policies were provisioned outside AMS Change Management service or without prior validation. |
This finding is generated if one or more existing customer managed policy ARNs are attached to a role and the policies are not provisioned through the AMS Change Management service (through an RFC). For example, Developer Mode or Direct Change Mode allow customers to provision IAM policies without an RFC. To resolve this, remove the customer managed policy ARNs from the ManagedPolicyArns list for the role. |
The count of provided managed policy ARNs exceed attached policy per role quota. |
This finding is generated if the total number of managed policies attached to the role exceeds the policy per role quota. For more information on IAM quotas, see IAM and AWS STS quotas, name requirements, and character limits. Use this information to reduce the number of policies that you attach to the role. |
The trust policy size ({trust_policy}) exceeds assume role policy size quota of {size}. |
This finding is generated if the size of the assume role policy document exceeds the policy size quota. For more information on IAM quotas, see IAM and AWS STS quotas, name requirements, and character limits. |
Statement contains all mutative actions for Amazon S3. Consider scoping these permissions to required actions only. If wild cards are used ensure they scope limited set of mutative actions. |
This finding is generated if the given policy grants all Amazon Simple Storage Service mutative permissions irrespective of one or more resources. To resolve this, include only required Amazon S3 mutative actions against your buckets. |
Statement contains privileged actions that are not allowed against any bucket in Amazon S3. Consider adding a statement denying these actions. |
This finding is generated if the policy grants privileged actions on any bucket. For a list of privileged actions, see AMS Automated IAM Provisioning permission boundary check To resolve this finding, remove, or deny these actions in your policy. |
Statement contains privileged actions that are not scoped to your buckets in Amazon S3. Consider including your buckets or exclude buckets with AMS namespace prefixes. If wild cards are used, make sure that they match buckets within your namespaces. |
This finding is generated if the policy grants Amazon S3 actions that are not scoped to your buckets only. This is often occurs if wild cards are used when specifying bucket resources. To resolve this, specify bucket names or ARNs that you own or exclude the buckets that have AMS namespace prefixes. |
Statement contains privileged actions that are not scoped to your buckets in Amazon S3. Consider avoiding use of wild cards (*) that scopes all buckets in the account. |
This finding is generated if the policy grants Amazon S3 actions that are not scoped to your bucket. This is often occurs if wild cards are used when specifying bucket resources. To resolve this, specify bucket names or ARNs that you own or exclude the buckets that have AMS namespace prefixes. |
Statement contains a resource wildcard which is scoped to all Amazon S3 buckets, including non-existent buckets and buckets you do not own . Consider scoping the permissions using a condition and |
This finding is generated if the policy grants permission to buckets specified using wild cards. Use of wild cards often brings non-existing or non-owner buckets in scope. To resolve this, use condition and the |
Statement contains a |
This finding is generated if the policy utilizes the |
Statement contains Amazon S3 action to buckets |
This finding is generated if the policy grants permission to buckets that either do no exist, are not owned by you, or have wild cards in the bucket names covering a large number of buckets and access is not scoped to the current account only. To resolve this, use condition and the |
Statement contains Amazon S3 action to buckets |
This finding is generated if the policy grants permission to buckets that either do no exist, are not owned by you, or have wild cards in the bucket names covering a large number of buckets and access is scoped to a specific account only. However, the account specified in the |
Statement contains privileged actions that are not scoped to your instances for Amazon EC2. Consider scoping the actions to specific instance ARNs or exclude instances that have Name tag key with value in AMS namespace prefixes. If wild cards are used, ensure they match namespaces that you own. |
This finding is generated if the policy grants privileged actions against Amazon EC2 instances that AMS owns. AMS instances are tagged with the Name tag key with values in AMS namespace. To resolve this, specify your resources or exclude AMS instances with a condition that has the |
Statement contains privileged actions that are not scoped to your resources in AWS Systems Manager parameter store. Consider specifying ARNs of your parameters or exclude parameters with AMS namespace prefixes. If wild cards are used, ensure they scope only your parameters. |
This finding is generated if the policy grants permissions to parameters that you do not own. This is usually when wild cards are used or parameters with AMS namespace prefixes are listed under resources in a policy statement. To resolve this, specify parameters that are within your namespace or exclude AMS parameters with a deny statement. |
Statement contains privileged actions against resources in AWS Systems Manager. Consider scoping the permissions to read only actions or actions against your resources. |
This finding is generated if the policy grants permissions other than parameter store or readonly actions against Systems Manager resources. To resolve this finding reduce the permissions to readonly actions or parameter store only. |
Statement contains privileged actions that are not scoped to {message} in |
This finding is generated if the policy allows privileged actions that are not granted against your resources, especially for named resources. To resolve this finding review your resource list and see if they only scope resource that is in your namespace. Alternatively exclude resources that are in AMS namespace. |
Statement contains tagging actions of { |
This finding is generated if the policy grants tagging permission for given service and the permission is not scoped to specifc tag keys/values. To scope down what key or value can be used in tag actions, for example, when making request to perform the actions, use the |
Internal error validating IAM role trust policy. |
This finding is generated when CT automation encounters an error performing validation on the IAM role trust policy through the IAM Access Analyzer service. To resolve this, resubmit the RFC. If the error persists, then contact AMS Operations to troubleshoot the error. |
Internal error validating customer managed policy. |
This finding is generated when CT automation encounters an error performing ovalidation on the customer managed policy through the IAM Access Analyzer service. To resolve this, resubmit the RFC. If the error persists, then contact AMS Operations to troubleshoot the error. |
Access analyzer not found in |
This finding is generated when the IAM Access Analyzer resource is not found in the AWS Region. Contact AMS Operations to troubleshoot and create IAM Access Analyzer resource in the AWS Region. |
Invalid trust policy for role |
This finding is generated when provided IAM role contains an invalid trust policy. To resolve review the trust policy to verify that it is valid. |
IAM Access Analyzer encountered an internal error. Failed to create access preview for role |
This finding is generated when automation encounters an error while creating an access preview for a role through the IAM Access Analyzer. To resolve this, resubmit the RFC. If the error persists, then contact AMS Operations to troubleshoot the error. |
Failed to create access preview for trust policy of role |
This finding is generated when automation encounters an error while creating an access preview for a role through the IAM Access Analyzer. To resolve this, resubmit the RFC. If the error persists, then contact AMS Operations to troubleshoot the error. |
Internal error validating listed SAML IdP. |
This finding is generated when automation encounters an error while validating the provided SAML IdPs listed in the role trust policy. To resolve this, resubmit the RFC. If the error persists, then contact AMS Operations to troubleshoot the error. |
Internal error validating permissions against AWS Key Management Service. |
This finding is generated when automation encounters an error while validating the AWS KMS key permissions in the provided policy. To resolve this, resubmit the RFC. If the error persists, then contact AMS Operations to troubleshoot the error. |
Internal error validating listed managed policy ARNs. |
This finding is generated when automation encounters an error while validating listed managed policy ARNs. To resolve this, resubmit the RFC. If the error persists, then contact AMS Operations to troubleshoot the error. |
Internal error validating default |
This finding is generated when automation encounters an error while validating that the |
Internal error validating managed policy arns for the role |
This finding is generated when automation encounters an error while validating managed policy ARNs for the role. To resolve this, resubmit the RFC. If the error persists, then contact AMS Operations to troubleshoot the error. |
Internal error validating |
This finding is generated when automation encounters an error while validating the policy that cotains your custom deny list. To resolve this, resubmit the RFC. If the error persists, then contact AMS Operations to troubleshoot the error. |
Customer-defined boundary policy |
This finding is generated when the policy that contains your custom deny list includes a statement that grants permission. Although the custom deny list exists within your account as an IAM managed policy, it can't be used for permission management. The policy must only contain deny statements that indicate that you want AMS Automated IAM Provisioning to validate and deny those actions in your IAM policies that AMS Automated IAM Provisioning creates. |
Statement contains privileged actions defined by your organization for |
This finding is generated when automation detects any action in your policy that you defined in the custom deny list. To resolve the finding, review your policy statement and remove any actions that are defined in your custom deny list or add a deny statement that denies those actions. |
The role must have |
This finding is generated if the role that you're creating doesn't have the |
The |
This finding is generated if the |
