IAM user does not have AdministratorAccess policy attached
iam_user_administrator_access_policy
IAM users are evaluated for a direct attachment of the AWS managed policy AdministratorAccess. The finding identifies identities where this policy appears among the user's attached policies.
Risk
Assigning an IAM user full admin rights concentrates power in long-lived credentials. If compromised, attackers gain:
- Confidentiality: read/export all data
- Integrity: change configs, policies, code
- Availability: delete resources, disrupt services Also enables persistence and uncontrolled spend.
Run this check with Prowler CLI
prowler aws --checks iam_user_administrator_access_policy
Recommendation
Remove direct AdministratorAccess from users.
- Apply least privilege with scoped policies
- Use federation and roles for temporary admin access
- Enforce separation of duties and approvals
- Add guardrails (SCPs, permissions boundaries)
- Require MFA and rotate any remaining long-lived credentials
Remediation
CLI
aws iam detach-user-policy --user-name <username> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
Native IaC
Other
- Sign in to the AWS Console and open IAM
- Go to Users and select the target user
- Open the Permissions tab
- In Attached policies (or Permissions policies), find AdministratorAccess
- Select it and click Detach policy (or Remove)
- Confirm to detach
Source Code
Resource Type
AwsIamUser