IAM Role AdministratorAccess Policy
Overview
This check identifies IAM roles that have the AWS-managed AdministratorAccess policy attached. This policy grants unrestricted permissions across all AWS services and resources, which violates the principle of least privilege.
Risk
If a role with AdministratorAccess is compromised, an attacker gains complete control over your AWS account. They can:
- Read, modify, or delete any data
- Create new privileged users or roles
- Disable security monitoring and logging
- Delete backups and critical resources
- Run up significant charges
This is a high-severity finding that should be addressed promptly.
Remediation Steps
Prerequisites
You need IAM permissions to modify role policies. Typically this means having the IAMFullAccess policy or similar administrative access.
Required IAM permissions (technical detail)
At minimum, you need these IAM actions:
iam:DetachRolePolicyiam:AttachRolePolicyiam:ListAttachedRolePolicies
AWS Console Method
- Sign in to the AWS IAM Console
- In the left navigation, click Roles
- Find and click the role name flagged by Prowler
- Select the Permissions tab
- In the Permissions policies section, locate AdministratorAccess
- Click the Remove button (or select the checkbox and click Remove)
- Confirm the detachment when prompted
Important: Before removing AdministratorAccess, ensure you have a replacement policy ready that grants only the permissions the role actually needs. Otherwise, workloads using this role may break.
AWS CLI (optional)
Detach the AdministratorAccess policy:
aws iam detach-role-policy \
--role-name <ROLE_NAME> \
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess \
--region us-east-1
Replace <ROLE_NAME> with the actual role name (e.g., MyApplicationRole).
Verify the policy was removed:
aws iam list-attached-role-policies \
--role-name <ROLE_NAME> \
--region us-east-1
The output should no longer include AdministratorAccess.
CloudFormation (optional)
If your role is managed by CloudFormation, update the template to remove AdministratorAccess from the ManagedPolicyArns list.
Before (non-compliant):
Resources:
MyRole:
Type: AWS::IAM::Role
Properties:
RoleName: MyApplicationRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AdministratorAccess # Remove this line
After (compliant):
Resources:
MyRole:
Type: AWS::IAM::Role
Properties:
RoleName: MyApplicationRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess # Example: use specific policies
Policies:
- PolicyName: CustomLeastPrivilegePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:ListBucket
Resource:
- arn:aws:s3:::my-bucket
- arn:aws:s3:::my-bucket/*
Deploy the updated stack:
aws cloudformation update-stack \
--stack-name <STACK_NAME> \
--template-body file://template.yaml \
--capabilities CAPABILITY_NAMED_IAM \
--region us-east-1
Terraform (optional)
If your role is managed by Terraform, remove the AdministratorAccess policy attachment.
Before (non-compliant):
resource "aws_iam_role" "example" {
name = "MyApplicationRole"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "ec2.amazonaws.com"
}
}]
})
}
# Remove this resource
resource "aws_iam_role_policy_attachment" "admin_access" {
role = aws_iam_role.example.name
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
After (compliant):
resource "aws_iam_role" "example" {
name = "MyApplicationRole"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "ec2.amazonaws.com"
}
}]
})
}
# Use a least-privilege policy instead
resource "aws_iam_role_policy_attachment" "s3_read_only" {
role = aws_iam_role.example.name
policy_arn = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
}
# Or create a custom policy with specific permissions
resource "aws_iam_policy" "custom_policy" {
name = "CustomLeastPrivilegePolicy"
description = "Custom policy with only required permissions"
policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Action = [
"s3:GetObject",
"s3:ListBucket"
]
Resource = [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}]
})
}
resource "aws_iam_role_policy_attachment" "custom" {
role = aws_iam_role.example.name
policy_arn = aws_iam_policy.custom_policy.arn
}
Apply the changes:
terraform plan
terraform apply
Verification
After remediation, confirm the role no longer has AdministratorAccess:
- Go to IAM > Roles in the AWS Console
- Click on the role you remediated
- Check the Permissions tab
- Verify
AdministratorAccessis no longer listed
CLI verification
aws iam list-attached-role-policies \
--role-name <ROLE_NAME> \
--region us-east-1
Expected output should not contain AdministratorAccess:
{
"AttachedPolicies": [
{
"PolicyName": "AmazonS3ReadOnlyAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
}
]
}
Additional Resources
- AWS IAM Best Practices
- Granting Least Privilege
- IAM Access Analyzer - Helps identify unused permissions
- AWS Managed Policies
Notes
- Service-linked roles are excluded from this check. These are created and managed by AWS services and cannot have their policies modified.
- Break-glass scenarios: If you need emergency admin access, consider using a dedicated break-glass role with MFA requirements and time-limited access via AWS Identity Center or a just-in-time access solution.
- Use IAM Access Analyzer to generate least-privilege policies based on actual usage patterns before removing broad permissions.
- Test thoroughly after removing
AdministratorAccess. Monitor CloudTrail and application logs forAccessDeniederrors that indicate missing permissions.