Excessive Privilege Risk Remediation
Overview
It is important to address identities with excessive privilege risk so you can right size your permissions and implement least privilege access.
For example, one remediation that is available for correcting excessive privilege risk is Detach policy.
The remediation displays the number and percentage of entitlements removed. These values represent what would be removed by performing this remediation. For example, you could have following values for Remediation and Entitlements removed:
Detach policy AdministratorAccess 361 (64.12%)
This means that detaching the AdministratorAccess policy removes 361 entitlements, which equal 64.12% of the total entitlements.
Remediation Details
The following information is available for each remediation:
- Suggestion - What you can do to accomplish remediation.
- Rationale - Why you should perform remediation.
- Risk reduction - What the remediation achieves in reducing risk severity and removed entitlements. The table provides risk information before and after remediation as well as the risk change achieved.
- Details about entitlements, including service, resource, action, and policy.
- Ticketing - Click Create ticket to create a Jira ticket to track the remediation work for the identity risk.
If a ticket already exists for the remediation, a link to the ticket is displayed.
Statement Indexes
AWS policies let you include multiple statements to define multiple entitlements or a set of entitlements. For example, you have the following statements:
- Statement 1: Allow start and stop actions for EC2 instances with name starting with "project-1".
- Statement 2: Allow read and delete actions for the S3 buckets: customer-data, sales-orders.
The statement index helps you pinpoint the place where the excessive privileges are defined.
Remediations Offered
The following remediations are available for excessive privilege risks.
Detach policy
- Suggestion - Remove the specified policy from the specified principal.
- Rationale - The identity has not used any of the access granted by this policy in the last 180 days. If an identity has access to more resources, data, or functionality than it actually needs, it increases the attack surface and potential risks. Removing unused entitlements will help with compliance, privacy, resource management, and simplified auditing.
Remove identity entitlements
- Suggestion - Remove entitlements from the specified identity. You can remove these entitlements either by removing them from all listed policies (which may affect other users) or by adding an explicit Deny policy for this identity.
- Rationale - This identity has not used any off the access granted by the listed entitlements in the last 180 days. If an identity has access to more resources, data, or functionality than it actually needs, it increases the attack surface and potential risks. Removing unused entitlements will help with compliance, privacy, resource management, and simplified auditing.
Remove policy entitlements
- Suggestion - No identities attached to the specified policy have used any of the listed entitlements in the last 180 days. You can safely remove these entitlements from the given policy.
- Rationale - If an identity has access to more resources, data, or functionality than it actually needs, it increases the attack surface and potential risks. Removing unused entitlements will help with compliance, privacy, resource management, and simplified auditing.