name change for IAM security policies

policies/AWS-EC2-instance-with-org-write-access-level.json → policies/AWS-EC2-Instance-with-AWS-Organization-management-permissions.json

@@ -4,8 +4,8 @@
   "policyType": "iam",
   "cloudType": "aws",
   "severity": "high",
-  "name": "AWS EC2 instance with org write access level",
-  "description": "This policy identifies org write access that is defined as risky permissions. Ensure that the AWS EC2 instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.",
+  "name": "AWS EC2 Instance with AWS Organization management permissions",
+  "description": "This policy identifies IAM permissions that allow EC2 instances to manage AWS Organizations such as creating, deleting, updating AWS Organizations, accounts and Org level policies, features, and services.  AWS Organization write permissions are very risky and should only be used under very strict controls.  Unnecessary usage of these permissions can significantly increase your attack surface and make it easier for attackers to compromise your AWS environment.",
   "rule.criteria": "0acd23f7-12c8-48c2-88c4-2962a4778e6e",
   "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('organizations:AcceptHandshake','organizations:AttachPolicy','organizations:CancelHandshake','organizations:CreateAccount','organizations:CreateGovCloudAccount','organizations:CreateOrganization','organizations:CreateOrganizationalUnit','organizations:CreatePolicy','organizations:DeclineHandshake','organizations:DeleteOrganization','organizations:DeleteOrganizationalUnit','organizations:DeletePolicy','organizations:DeregisterDelegatedAdministrator','organizations:DetachPolicy','organizations:DisableAWSServiceAccess','organizations:DisablePolicyType','organizations:EnableAWSServiceAccess','organizations:EnableAllFeatures','organizations:EnablePolicyType','organizations:InviteAccountToOrganization','organizations:LeaveOrganization','organizations:MoveAccount','organizations:RegisterDelegatedAdministrator','organizations:RemoveAccountFromOrganization','organizations:UpdateOrganizationalUnit','organizations:UpdatePolicy') AND source.cloud.service.name = 'ec2' AND source.cloud.resource.type = 'instance'",
   "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the EC2 instance \n3. Find the role used by the EC2 instance\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions",

policies/AWS-EC2-instance-with-IAM-permissions-management-access-level.json → policies/AWS-EC2-Instance-with-IAM-policy-management-permissions.json

@@ -4,8 +4,8 @@
   "policyType": "iam",
   "cloudType": "aws",
   "severity": "high",
-  "name": "AWS EC2 instance with IAM permissions management access level",
-  "description": "This policy identifies This policy identifies IAM permissions management access that is defined as risky permissions. Ensure that the AWS EC2 instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.AWS IAM permissions management access level that are risky for AWS EC2 instances. Ensure that the AWS EC2 instances provisioned in your AWS account don't have a risky set of permissions management access to minimize security risks.",
+  "name": "AWS EC2 Instance with IAM policy management permissions",
+  "description": "This policy identifies IAM permissions that allow EC2 instances to manage IAM policies, such as creating, deleting, or attaching IAM policies to identities, roles, or groups.  IAM policy management permissions are very risky and should only be used under very strict controls.  Unnecessary usage of these permissions can significantly increase your attack surface and make it easier for attackers to compromise your AWS environment.",
   "rule.criteria": "34edd03b-b872-441b-84ed-19d9b4194c7d",
   "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AttachGroupPolicy','iam:AttachRolePolicy','iam:AttachUserPolicy','iam:CreatePolicy','iam:CreatePolicyVersion','iam:DeleteAccountPasswordPolicy','iam:DeleteGroupPolicy','iam:DeletePolicy','iam:DeletePolicyVersion','iam:DeleteRolePermissionsBoundary','iam:DeleteRolePolicy','iam:DeleteUserPermissionsBoundary','iam:DeleteUserPolicy','iam:DetachGroupPolicy','iam:DetachRolePolicy','iam:DetachUserPolicy','iam:PutGroupPolicy','iam:PutRolePermissionsBoundary','iam:PutRolePolicy','iam:PutUserPermissionsBoundary','iam:PutUserPolicy','iam:SetDefaultPolicyVersion','iam:UpdateAssumeRolePolicy') AND source.cloud.service.name = 'ec2' AND source.cloud.resource.type = 'instance'",
   "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the EC2 instance \n3. Find the role used by the EC2 instance\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions",

policies/AWS-EC2-instance-with-IAM-write-access-level.json → policies/AWS-EC2-Instance-with-IAM-write-permissions.json

@@ -4,8 +4,8 @@
   "policyType": "iam",
   "cloudType": "aws",
   "severity": "high",
-  "name": "AWS EC2 instance with IAM write access level",
-  "description": "This policy identifies IAM write permissions that are defined as risky permissions. Ensure that the AWS EC2 instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.",
+  "name": "AWS EC2 Instance with IAM write permissions",
+  "description": "This policy identifies IAM permissions that allow EC2 instances to perform write operations for IAM. such as creating, deleting, updating access keys, users, groups, and roles.  IAM write permissions are very risky and should only be used under very strict controls.  Unnecessary usage of these permissions can significantly increase your attack surface and make it easier for attackers to compromise your AWS environment.",
   "rule.criteria": "8bef368e-7b79-4828-a9cd-f4aa4fa8a3ce",
   "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AddClientIDToOpenIDConnectProvider','iam:AddRoleToInstanceProfile','iam:AddUserToGroup','iam:ChangePassword','iam:CreateAccessKey','iam:CreateAccountAlias','iam:CreateGroup','iam:CreateInstanceProfile','iam:CreateLoginProfile','iam:CreateOpenIDConnectProvider','iam:CreateRole','iam:CreateSAMLProvider','iam:CreateServiceLinkedRole','iam:CreateServiceSpecificCredential','iam:CreateUser','iam:CreateVirtualMFADevice','iam:DeactivateMFADevice','iam:DeleteAccessKey','iam:DeleteAccountAlias','iam:DeleteGroup','iam:DeleteInstanceProfile','iam:DeleteLoginProfile','iam:DeleteOpenIDConnectProvider','iam:DeleteRole','iam:DeleteSAMLProvider','iam:DeleteSSHPublicKey','iam:DeleteServerCertificate','iam:DeleteServiceLinkedRole','iam:DeleteServiceSpecificCredential','iam:DeleteSigningCertificate','iam:DeleteUser','iam:DeleteVirtualMFADevice','iam:EnableMFADevice','iam:PassRole','iam:RemoveClientIDFromOpenIDConnectProvider','iam:RemoveRoleFromInstanceProfile','iam:RemoveUserFromGroup','iam:ResetServiceSpecificCredential','iam:ResyncMFADevice','iam:SetSecurityTokenServicePreferences','iam:UpdateAccessKey','iam:UpdateAccountPasswordPolicy','iam:UpdateGroup','iam:UpdateLoginProfile','iam:UpdateOpenIDConnectProviderThumbprint','iam:UpdateRole','iam:UpdateRoleDescription','iam:UpdateSAMLProvider','iam:UpdateSSHPublicKey','iam:UpdateServerCertificate','iam:UpdateServiceSpecificCredential','iam:UpdateSigningCertificate','iam:UpdateUser','iam:UploadSSHPublicKey','iam:UploadServerCertificate','iam:UploadSigningCertificate') AND source.cloud.service.name = 'ec2' AND source.cloud.resource.type = 'instance'",
   "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the EC2 instance \n3. Find the role used by the EC2 instance\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions",

policies/ECS-Task-Definition-with-org-write-access-level.json → policies/AWS-ECS-Task-Definition-with-AWS-Organization-management-permissions.json

@@ -4,8 +4,8 @@
   "policyType": "iam",
   "cloudType": "aws",
   "severity": "high",
-  "name": "ECS Task Definition with org write access level",
-  "description": "This policy identifies org write access that is defined as risky permissions. Ensure that the AWS ECS Task Definition instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.",
+  "name": "AWS ECS Task Definition with AWS Organization management permissions",
+  "description": "This policy identifies IAM permissions that allow ECS task definitions to manage AWS Organizations such as creating, deleting, updating AWS Organizations, accounts and Org level policies, features, and services.  AWS Organization write permissions are very risky and should only be used under very strict controls.  Unnecessary usage of these permissions can significantly increase your attack surface and make it easier for attackers to compromise your AWS environment.",
   "rule.criteria": "18f6902b-1358-48b4-b81e-528072b30656",
   "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('organizations:AcceptHandshake','organizations:AttachPolicy','organizations:CancelHandshake','organizations:CreateAccount','organizations:CreateGovCloudAccount','organizations:CreateOrganization','organizations:CreateOrganizationalUnit','organizations:CreatePolicy','organizations:DeclineHandshake','organizations:DeleteOrganization','organizations:DeleteOrganizationalUnit','organizations:DeletePolicy','organizations:DeregisterDelegatedAdministrator','organizations:DetachPolicy','organizations:DisableAWSServiceAccess','organizations:DisablePolicyType','organizations:EnableAWSServiceAccess','organizations:EnableAllFeatures','organizations:EnablePolicyType','organizations:InviteAccountToOrganization','organizations:LeaveOrganization','organizations:MoveAccount','organizations:RegisterDelegatedAdministrator','organizations:RemoveAccountFromOrganization','organizations:UpdateOrganizationalUnit','organizations:UpdatePolicy') AND source.cloud.service.name = 'ecs' and source.cloud.resource.type = 'task-definition'",
   "recommendation": "Remediation steps:\n1. Login to the Okta console\n2. Find the role used by the Okta user\n3. Log in to the AWS console\n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions",

policies/ECS-Task-Definition-with-IAM-permissions-management-access-level.json → policies/AWS-ECS-Task-Definition-with-IAM-policy-management-permissions.json

@@ -4,8 +4,8 @@
   "policyType": "iam",
   "cloudType": "aws",
   "severity": "high",
-  "name": "ECS Task Definition with IAM permissions management access level",
-  "description": "This policy identifies IAM permissions management access that is defined as risky permissions. Ensure that the AWS ECS Task Definition instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.",
+  "name": "AWS ECS Task Definition with IAM policy management permissions",
+  "description": "This policy identifies IAM permissions that allow ECS task definitions to manage IAM policies, such as creating, deleting, or attaching IAM policies to identities, roles, or groups.  IAM policy management permissions are very risky and should only be used under very strict controls.  Unnecessary usage of these permissions can significantly increase your attack surface and make it easier for attackers to compromise your AWS environment.",
   "rule.criteria": "c89882d6-ed8e-4e95-931a-9f4dd2c6ff74",
   "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AttachGroupPolicy','iam:AttachRolePolicy','iam:AttachUserPolicy','iam:CreatePolicy','iam:CreatePolicyVersion','iam:DeleteAccountPasswordPolicy','iam:DeleteGroupPolicy','iam:DeletePolicy','iam:DeletePolicyVersion','iam:DeleteRolePermissionsBoundary','iam:DeleteRolePolicy','iam:DeleteUserPermissionsBoundary','iam:DeleteUserPolicy','iam:DetachGroupPolicy','iam:DetachRolePolicy','iam:DetachUserPolicy','iam:PutGroupPolicy','iam:PutRolePermissionsBoundary','iam:PutRolePolicy','iam:PutUserPermissionsBoundary','iam:PutUserPolicy','iam:SetDefaultPolicyVersion','iam:UpdateAssumeRolePolicy') AND source.cloud.service.name = 'ecs' and source.cloud.resource.type = 'task-definition'",
   "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the ECS Task Definition \n3. Find the role used by the ECS Task Definition \n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions",

policies/ECS-Task-Definition-with-IAM-write-access-level.json → policies/AWS-ECS-Task-Definition-with-IAM-write-permissions.json

@@ -4,8 +4,8 @@
   "policyType": "iam",
   "cloudType": "aws",
   "severity": "high",
-  "name": "ECS Task Definition with IAM write access level",
-  "description": "This policy identifies IAM write permissions that are defined as risky permissions. Ensure that the AWS ECS Task Definition instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks",
+  "name": "AWS ECS Task Definition with IAM write permissions",
+  "description": "This policy identifies IAM permissions that allow ECS task definitions to perform write operations for IAM. such as creating, deleting, updating access keys, users, groups, and roles.  IAM write permissions are very risky and should only be used under very strict controls.  Unnecessary usage of these permissions can significantly increase your attack surface and make it easier for attackers to compromise your AWS environment.",
   "rule.criteria": "a87da1a4-e0ec-4fbc-9a4d-a6b5c2677542",
   "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AddClientIDToOpenIDConnectProvider','iam:AddRoleToInstanceProfile','iam:AddUserToGroup','iam:ChangePassword','iam:CreateAccessKey','iam:CreateAccountAlias','iam:CreateGroup','iam:CreateInstanceProfile','iam:CreateLoginProfile','iam:CreateOpenIDConnectProvider','iam:CreateRole','iam:CreateSAMLProvider','iam:CreateServiceLinkedRole','iam:CreateServiceSpecificCredential','iam:CreateUser','iam:CreateVirtualMFADevice','iam:DeactivateMFADevice','iam:DeleteAccessKey','iam:DeleteAccountAlias','iam:DeleteGroup','iam:DeleteInstanceProfile','iam:DeleteLoginProfile','iam:DeleteOpenIDConnectProvider','iam:DeleteRole','iam:DeleteSAMLProvider','iam:DeleteSSHPublicKey','iam:DeleteServerCertificate','iam:DeleteServiceLinkedRole','iam:DeleteServiceSpecificCredential','iam:DeleteSigningCertificate','iam:DeleteUser','iam:DeleteVirtualMFADevice','iam:EnableMFADevice','iam:PassRole','iam:RemoveClientIDFromOpenIDConnectProvider','iam:RemoveRoleFromInstanceProfile','iam:RemoveUserFromGroup','iam:ResetServiceSpecificCredential','iam:ResyncMFADevice','iam:SetSecurityTokenServicePreferences','iam:UpdateAccessKey','iam:UpdateAccountPasswordPolicy','iam:UpdateGroup','iam:UpdateLoginProfile','iam:UpdateOpenIDConnectProviderThumbprint','iam:UpdateRole','iam:UpdateRoleDescription','iam:UpdateSAMLProvider','iam:UpdateSSHPublicKey','iam:UpdateServerCertificate','iam:UpdateServiceSpecificCredential','iam:UpdateSigningCertificate','iam:UpdateUser','iam:UploadSSHPublicKey','iam:UploadServerCertificate','iam:UploadSigningCertificate') AND source.cloud.service.name = 'ecs' and source.cloud.resource.type = 'task-definition'",
   "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the ECS Task Definition \n3. Find the role used by the ECS Task Definition \n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions",

policies/Elasticbeanstalk-Platform-with-org-write-access-level.json → policies/AWS-Elastic-Beanstalk-Platform-with-AWS-Organization-management-permissions.json

@@ -4,8 +4,8 @@
   "policyType": "iam",
   "cloudType": "aws",
   "severity": "high",
-  "name": "Elasticbeanstalk Platform with org write access level",
-  "description": "This policy identifies org write access that is defined as risky permissions. Ensure that the AWS Elasticbeanstalk Platform instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.",
+  "name": "AWS Elastic Beanstalk Platform with AWS Organization management permissions",
+  "description": "This policy identifies IAM permissions that allows an Elastic Beanstalk Platform to manage AWS Organizations such as creating, deleting, updating AWS Organizations, accounts and Org level policies, features, and services.  AWS Organization write permissions are very risky and should only be used under very strict controls.  Unnecessary usage of these permissions can significantly increase your attack surface and make it easier for attackers to compromise your AWS environment.",
   "rule.criteria": "b38b7c32-e9e8-4edb-8621-b88157ce34c7",
   "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('organizations:AcceptHandshake','organizations:AttachPolicy','organizations:CancelHandshake','organizations:CreateAccount','organizations:CreateGovCloudAccount','organizations:CreateOrganization','organizations:CreateOrganizationalUnit','organizations:CreatePolicy','organizations:DeclineHandshake','organizations:DeleteOrganization','organizations:DeleteOrganizationalUnit','organizations:DeletePolicy','organizations:DeregisterDelegatedAdministrator','organizations:DetachPolicy','organizations:DisableAWSServiceAccess','organizations:DisablePolicyType','organizations:EnableAWSServiceAccess','organizations:EnableAllFeatures','organizations:EnablePolicyType','organizations:InviteAccountToOrganization','organizations:LeaveOrganization','organizations:MoveAccount','organizations:RegisterDelegatedAdministrator','organizations:RemoveAccountFromOrganization','organizations:UpdateOrganizationalUnit','organizations:UpdatePolicy') AND source.cloud.service.name = 'elasticbeanstalk' AND source.cloud.resource.type = 'platform'",
   "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the Elasticbeanstalk Platform \n3. Find the role used by the Elasticbeanstalk Platform \n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions",

policies/Elasticbeanstalk-Platform-with-IAM-permissions-management-access-level.json → policies/AWS-Elastic-Beanstalk-Platform-with-IAM-policy-management-permissions.json

@@ -4,8 +4,8 @@
   "policyType": "iam",
   "cloudType": "aws",
   "severity": "high",
-  "name": "Elasticbeanstalk Platform with IAM permissions management access level",
-  "description": "This policy identifies IAM permissions management access that is defined as risky permissions. Ensure that the AWS Elasticbeanstalk Platform instances provisioned in your AWS account don't have a risky set of write permissions to minimize security risks.",
+  "name": "AWS Elastic Beanstalk Platform with IAM policy management permissions",
+  "description": "This policy identifies IAM permissions that allows an Elastic Beanstalk Platform to manage IAM policies, such as creating, deleting, or attaching IAM policies to identities, roles, or groups.  IAM policy management permissions are very risky and should only be used under very strict controls.  Unnecessary usage of these permissions can significantly increase your attack surface and make it easier for attackers to compromise your AWS environment.",
   "rule.criteria": "e0c233b7-8911-4ecb-8387-371f0308c168",
   "searchModel.query": "config from iam where dest.cloud.type = 'AWS' AND action.name IN ('iam:AttachGroupPolicy','iam:AttachRolePolicy','iam:AttachUserPolicy','iam:CreatePolicy','iam:CreatePolicyVersion','iam:DeleteAccountPasswordPolicy','iam:DeleteGroupPolicy','iam:DeletePolicy','iam:DeletePolicyVersion','iam:DeleteRolePermissionsBoundary','iam:DeleteRolePolicy','iam:DeleteUserPermissionsBoundary','iam:DeleteUserPolicy','iam:DetachGroupPolicy','iam:DetachRolePolicy','iam:DetachUserPolicy','iam:PutGroupPolicy','iam:PutRolePermissionsBoundary','iam:PutRolePolicy','iam:PutUserPermissionsBoundary','iam:PutUserPolicy','iam:SetDefaultPolicyVersion','iam:UpdateAssumeRolePolicy') AND source.cloud.service.name = 'elasticbeanstalk' AND source.cloud.resource.type = 'platform'",
   "recommendation": "Remediation steps:\n1. Log in to the AWS console\n2. Navigate to the Elasticbeanstalk Platform \n3. Find the role used by the Elasticbeanstalk Platform \n4. Navigate to the IAM service\n5. Click on Roles\n6. Choose the relevant role\n7. Under ''Permissions policies'', find the relevant policy according to the alert details and remove the risky actions",