Restrict full admin policies
Description
No IAM policy grants full admin (*:*) privileges to users.
⚠️ Risk Impact
Full admin on user accounts = single-credential-compromise = full account takeover. Service-account specific.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as critical-severity findings with remediation guidance.
🔧 Remediation
Replace AdministratorAccess managed policy with custom least-privilege roles. Use SCPs at org level.
💀 Real-World Attack Scenario
47 IAM users had AdministratorAccess. One was phished; attacker had full account access immediately. Damage included data exfil + S3 bucket policy modifications + IAM persistence. Recovery: $4.2M.
💰 Cost of Non-Compliance
Over-privileged-user breach: avg $4.45M (IBM 2024).
📋 Audit Questions
- 1.Users with AdministratorAccess?
- 2.Justification per user?
- 3.SCP enforcement?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Admin granted for convenience
- ⛔Admin role to service accounts
- ⛔No SCP enforcement
📈 Business Value
Least-privilege IAM is foundational to limiting breach blast radius.
⏱️ Effort Estimate
40-80 hours initial least-privilege migration
EchelonGraph identifies admin grants + recommends custom roles
🔗 Cross-Framework References
Automate CIS AWS 1.16 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →