Ensure that your Amazon IAM users are getting their access permissions only through IAM groups in order to follow the Principle of Least Privilege (POLP) and allow you to manage more efficiently user-based access to your AWS resources.
This rule can help you with the following compliance standards:
- CISAWSF
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
IAM users are granted access to AWS cloud services, resources, and data through IAM policies. You can define policies for an IAM user by:
1) editing the user policy directly, 2) attaching a policy directly to a user, 3) adding the user to an IAM group and assigning the required policy to that group. To follow IAM security best practices, only the third method is recommended. Assigning access policies only through IAM groups unifies permissions management to a single, flexible layer, consistent with organizational functional roles, therefore instead of defining permissions for individual IAM users, it is recommended to create IAM groups that relate to job functions (administrators, developers, testers, etc.) and add users to these groups as needed (or switch users between groups as they receive different roles in your organization). All the users within an IAM group inherit the permissions assigned to the user group. In this way, you can make changes for everyone within a user group in just one place. By unifying permissions management, the likelihood of excessive permissions is reduced.
Audit
To determine if your IAM users receive permissions through IAM groups only, perform the following actions:
Remediation / Resolution
To change the permissions configuration for your Amazon IAM users in order to receive access permissions through IAM groups only, perform the following actions:
References
- AWS Documentation
- Security best practices in IAM
- Managed policies and inline policies
- Create an administrative user
- Attaching a policy to an IAM user group
- Adding and removing users in an IAM user group
- CIS Benchmark Documentation
- CIS Benchmarks
- AWS Command Line Interface (CLI) Documentation
- iam
- list-users
- list-attached-user-policies
- list-user-policies
- create-group
- attach-group-policy
- add-user-to-group
- detach-user-policy
- delete-user-policy