Privileged AWS IAM User Has Been Created

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)

Cloud Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine detected the creation process of a privileged AWS IAM user within your Amazon Web Services account.


A privileged AWS IAM user (also known as Power User, Super User or System Administrator) is an identity that has full access to AWS services and resources. The privileged user access can be programmatic - which enables an access key ID and secret access key that can be used by AWS API, CLI, SDK, and other development tools or based on Management Console - which enables a password that allows users to sign-in to the AWS Management Console. The empowered IAM user access is controlled using a well-defined set of permissions (i.e. IAM policy) that is attached to the user during creation process.

Since this super user has admin-level privileges, using it by unauthorized personnel can introduce security issues as it can be utilized to access any service, resource or component within your AWS account through Management Console or API without restrictions.

To adhere to AWS security best practices and implement the principle of least privilege (i.e. the practice of providing every user/process/system the minimal amount of access required to perform its tasks), Cloud Conformity strongly recommends that you avoid creating more than one privileged IAM user, unless it's really necessary. Ideally, the IAM administration and permission management within your AWS account should be divided between two well-defined roles: IAM Master and IAM Manager. And these roles should be utilized by designated users only to create and configure other IAM users and roles with limited permissions that follow the same principle of least privilege.

Important Note:
To benefit from the Real-Time Monitoring detection used by this rule, you need to first enable this rule within your Cloud Conformity account (the rule is disabled by default).


Monitoring IAM access in real-time is absolutely necessary for keeping your Amazon Web Services account safe.

When an IAM user with administrator-level permissions (i.e. has authorization to modify or remove any resource, access any data in your AWS environment and can use any service or component) is used by an inexperienced person within your organization, his actions can lead to severe security problems, data leaks, data loss or even unexpected charges on your AWS bill. Unfortunately, as an organization grows and more people get involved in the operational aspect of the AWS environment administration, the tendency is to create more than one privileged IAM user and this poses a huge operational risk.

For example, to adhere to security best practices, an AWS account administrator has "locked down" the organization account in order to remain the only one that has admin-level access to the AWS services and resources, until one day when the organization management provides root access to an inexperienced employee within the company to create its own IAM user to access a certain AWS service or resource tied to its job position but he/she attach an overly permissive policy such as "AdministratorAccess" to its IAM user.

Since the designated account administrator does not expect any IAM admin-level activity, the privileged user creation process detected by the Cloud Conformity Real-Time Monitoring feature will give the administrator the chance to prevent any potential security issues that could be introduced by the new privileged IAM user. Another example is when an AWS admin creates a new IAM user (e.g. web developer) that needs access only to the EC2 instances logs via AWS CloudWatch service but for some reason (intentional or not) does not implement the principle of least privilege and assigns the "AdministratorAccess" policy to the new IAM user, providing it with administrator-level access to the AWS account which could expose it to sensitive data or even put the whole business at risk.

Segregating the IAM users in your account by controlling their privileges will help you maintain a secure AWS environment. Cloud Conformity recommends granting your IAM users the minimum amount of privileges necessary to perform the assigned task and avoid using more than one privileged IAM user at any time.

Using Cloud Conformity Real-Time Monitoring detection for privileged IAM user creation will help you enforce stricter and safer access policies within your organization.


Publication date May 24, 2017

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Privileged AWS IAM User Has Been Created

Risk level: High