Ensure that the IAM administration and permission management within your AWS account is divided between two roles: IAM Master and IAM Manager. The IAM Master role duty is to create IAM users, groups and roles, while the IAM Manager role responsibility is to assign users and roles to groups.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Since AWS IAM is the main point of control for service configuration access within an AWS account, the best practice is to avoid promoting only one user to have full control over IAM. This conformity rule main goal is to enable both IAM Master and IAM Manager to work together in a two-person rule manner to provide IAM users and roles the access to the right permissions. Providing the right permissions to your users/roles will significantly reduce the risk of unauthorized access to your AWS resources.
To search for IAM Master and IAM Manager roles within your AWS account, perform the following actions:
Remediation / Resolution
To create the IAM Master and IAM Manager roles necessary for an efficient IAM administration and permission management within your AWS account, perform the following:Note: Creating and configuring IAM Master and IAM Manager roles using AWS Management Console is not currently supported.
- AWS Documentation
- IAM Best Practices
- Actions and Condition Context Keys for AWS Identity and Access Management
- Configuring MFA-Protected API Access
- IAM Roles
- Creating a Role to Delegate Permissions to an IAM User
- IAM Groups
- Creating IAM Groups
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
IAM Master and IAM Manager Roles
Risk level: High