Ensure No IAM Users Have Administrator Access Policy

Overview

This check identifies IAM users that have the AdministratorAccess managed policy directly attached. The AdministratorAccess policy grants unrestricted access to all AWS services and resources, which poses a significant security risk when attached to long-lived user credentials.

Risk

When an IAM user has administrator-level permissions:

• If compromised: Attackers gain full control over your AWS account, including the ability to read/export all data, modify configurations, delete resources, and create backdoors
• Accidental damage: Users may unintentionally delete critical resources or misconfigure services
• No accountability: Broad permissions make it difficult to track who performed specific actions
• Cost exposure: Unrestricted access can lead to unexpected charges from unauthorized resource creation

Remediation Steps

Prerequisites

You need IAM permissions to view and modify user policies. Typically, you should have access to the AWS Console with IAM administrative rights, or be using an IAM role with appropriate permissions.

Required IAM permissions

To perform this remediation, your IAM principal needs these permissions:

• iam:ListAttachedUserPolicies
• iam:DetachUserPolicy
• iam:AttachUserPolicy (if attaching replacement policies)
• iam:ListUsers

AWS Console Method

1. Sign in to the AWS Management Console
2. Navigate to IAM (search for "IAM" in the search bar)
3. In the left navigation pane, click Users
4. Select the user that has AdministratorAccess attached
5. Click the Permissions tab
6. Find AdministratorAccess in the Permissions policies section
7. Select the checkbox next to AdministratorAccess
8. Click the Remove button
9. Confirm the removal when prompted

Important: Before removing the policy, identify what specific permissions the user actually needs and attach appropriate scoped policies instead.

Choosing Replacement Policies

Instead of AdministratorAccess, attach policies that follow the principle of least privilege:

User Role	Recommended AWS Managed Policy
Read-only auditor	ReadOnlyAccess
Developer (specific services)	PowerUserAccess or service-specific policies
Billing administrator	Billing
Security auditor	SecurityAudit
Database administrator	AmazonRDSFullAccess, AmazonDynamoDBFullAccess

For most cases, create a custom policy that grants only the specific actions the user needs.

AWS CLI (optional)

List all policies attached to a user:

aws iam list-attached-user-policies \
  --user-name <your-username> \
  --region us-east-1

Detach the AdministratorAccess policy:

aws iam detach-user-policy \
  --user-name <your-username> \
  --policy-arn arn:aws:iam::aws:policy/AdministratorAccess \
  --region us-east-1

Attach a more appropriate policy (example: ReadOnlyAccess):

aws iam attach-user-policy \
  --user-name <your-username> \
  --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess \
  --region us-east-1

Find all users with AdministratorAccess attached:

# List all IAM users
aws iam list-users --query 'Users[*].UserName' --output text --region us-east-1 | \
  tr '\t' '\n' | while read user; do
    aws iam list-attached-user-policies --user-name "$user" --region us-east-1 \
      --query "AttachedPolicies[?PolicyArn=='arn:aws:iam::aws:policy/AdministratorAccess'].PolicyArn" \
      --output text | grep -q "AdministratorAccess" && echo "$user"
  done

CloudFormation (optional)

When defining IAM users in CloudFormation, ensure the ManagedPolicyArns property does not include AdministratorAccess. Use specific policies instead:

AWSTemplateFormatVersion: '2010-09-09'
Description: IAM User with least-privilege permissions (no AdministratorAccess)

Parameters:
  UserName:
    Type: String
    Description: Name of the IAM user

Resources:
  IAMUser:
    Type: AWS::IAM::User
    Properties:
      UserName: !Ref UserName
      ManagedPolicyArns: []  # No managed policies - add specific ones as needed
      Tags:
        - Key: ManagedBy
          Value: CloudFormation

Outputs:
  UserArn:
    Description: ARN of the IAM user
    Value: !GetAtt IAMUser.Arn

Example with specific policies:

Resources:
  DeveloperUser:
    Type: AWS::IAM::User
    Properties:
      UserName: developer-user
      ManagedPolicyArns:
        # Use specific policies instead of AdministratorAccess
        - arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
        - arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess

Terraform (optional)

When defining IAM users in Terraform, avoid attaching the AdministratorAccess policy:

# IAM User without AdministratorAccess - using least privilege

variable "user_name" {
  description = "Name of the IAM user"
  type        = string
}

variable "policy_arns" {
  description = "List of IAM policy ARNs to attach (should NOT include AdministratorAccess)"
  type        = list(string)
  default     = []
}

resource "aws_iam_user" "this" {
  name = var.user_name

  tags = {
    ManagedBy = "Terraform"
  }
}

# Attach specific policies (not AdministratorAccess)
resource "aws_iam_user_policy_attachment" "policies" {
  for_each   = toset(var.policy_arns)
  user       = aws_iam_user.this.name
  policy_arn = each.value
}

output "user_arn" {
  description = "ARN of the IAM user"
  value       = aws_iam_user.this.arn
}

Usage example:

module "developer_user" {
  source    = "./modules/iam-user"
  user_name = "developer"

  policy_arns = [
    "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
    "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
  ]
}

Verification

After removing the AdministratorAccess policy:

1. Go to IAM > Users > select the user > Permissions tab
2. Confirm that AdministratorAccess is no longer listed
3. Verify the user has appropriate replacement policies for their job function

CLI verification

# Verify AdministratorAccess is no longer attached
aws iam list-attached-user-policies \
  --user-name <your-username> \
  --region us-east-1

# The output should NOT contain AdministratorAccess

Re-run the Prowler check:

prowler aws --check iam_user_administrator_access_policy --region us-east-1

Additional Resources

• AWS IAM Best Practices
• Principle of Least Privilege
• AWS Managed Policies for Job Functions
• IAM Access Analyzer
• Prowler Check Documentation

Notes

• Consider using IAM roles instead: For administrative tasks, use IAM roles with temporary credentials rather than IAM users with long-lived access keys. Roles can be assumed through federation or AWS SSO.

• Enable MFA: If IAM users must have elevated permissions, always require multi-factor authentication (MFA).

• Use Service Control Policies (SCPs): In AWS Organizations, use SCPs as guardrails to prevent any principal from having excessive permissions, regardless of their IAM policies.

• Audit regularly: Use AWS IAM Access Analyzer and CloudTrail to monitor how permissions are actually being used and identify opportunities to reduce privileges.

• Separation of duties: Consider splitting administrative functions across multiple users or roles to prevent any single identity from having complete control.