PMapper assumes that all users who can modify their own permissions are supposed to be admin users in the account. However this might not be helpful for devs that add a couple iam permissions to a principal but didn't intend to grant AdministratorAccess equivalents.
Best example would be IAMFullAccess, which might be tossed onto a user thinking it necessary to handle iam:PassRole issues.
We should add a preset query (and maybe a finding) that detects:
When a principal is an admin
When a principal does not have the AdministratorAccess managed policy or an equivalent policy attached to them.
PMapper assumes that all users who can modify their own permissions are supposed to be admin users in the account. However this might not be helpful for devs that add a couple
iam
permissions to a principal but didn't intend to grantAdministratorAccess
equivalents.Best example would be
IAMFullAccess
, which might be tossed onto a user thinking it necessary to handleiam:PassRole
issues.We should add a preset query (and maybe a finding) that detects:
AdministratorAccess
managed policy or an equivalent policy attached to them.