IAM group does not have AdministratorAccess policy attached
iam_group_administrator_access_policy
IAM groups are assessed for the AWS-managed AdministratorAccess policy attachment.
The finding reports any group that has this policy among its attached permissions.
Risk
Group-wide AdministratorAccess gives all members unrestricted control. A stolen or misused account can:
- Read/exfiltrate sensitive data (C)
- Modify or delete resources and configs (I/A)
- Disable logging and weaken defenses, enabling persistence and lateral movement
prowler aws --checks iam_group_administrator_access_policy
Recommendation
Remove AdministratorAccess from groups. Apply least privilege with task-scoped, customer-managed policies and separation of duties. Use roles for admin tasks with MFA, time-bound elevation, and auditing. Regularly review group membership and permissions; prefer defense-in-depth guardrails.
Remediation
aws iam detach-group-policy --group-name <groupname> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
- In the AWS Console, go to IAM > User groups
- Select the target group (<groupname>)
- Open the Permissions tab > Attached policies
- Select the policy AdministratorAccess and click Detach
- Confirm to remove the policy
Source Code
Resource Type
AwsIamGroup
References
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage.html
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/IAM/group-with-privileged-access.html
- https://support.icompaas.com/support/solutions/articles/62000233798-ensure-no-iam-groups-have-administrator-access-policy
- https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html