IAM role does not have AdministratorAccess policy attached
iam_role_administratoraccess_policy
IAM roles (excluding service roles) are evaluated for attachment of the AWS-managed AdministratorAccess policy.
Attachment indicates the role holds unrestricted permissions across services and resources.
Risk
Granting full administrative permissions on a role undermines confidentiality, integrity, and availability. If the role is assumed or its credentials are stolen, an attacker can read sensitive data, change policies, disable auditing, delete resources and backups, and create new privileged identities, enabling swift account takeover.
prowler aws --checks iam_role_administratoraccess_policy
Recommendation
Apply least privilege: avoid attaching AdministratorAccess to roles. Grant only task-scoped permissions with custom policies and enforce separation of duties.
Use permissions boundaries, SCPs, and policy conditions to constrain power. Require MFA for break-glass admins, time-bound elevation with approval, and refine access using Access Analyzer.
Remediation
aws iam detach-role-policy --role-name <ROLE_NAME> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
- In the AWS Console, go to IAM > Roles
- Select the role flagged by the check
- On the Permissions tab, under Attached policies, find "AdministratorAccess"
- Click Detach next to "AdministratorAccess"
- Confirm the detach
Source Code
Resource Type
AwsIamRole