Ensure IAM Users Receive Permissions Only Through Groups Rule
This rule ensures IAM users are granted permissions exclusively through groups
| Rule | Ensure IAM Users Receive Permissions Only Through Groups |
| Framework | cis_v140 |
| Severity | ✔ Low |
Ensure IAM Users Receive Permissions Only Through Groups (cis_v140)
Rule Description
The Center for Internet Security (CIS) Benchmark for AWS recommends that IAM (Identity and Access Management) users receive permissions only through groups. This policy is aimed at managing permissions more effectively and securely. By assigning permissions to groups rather than individual users, you can:
- Simplify the management of permissions.
- Ensure consistent access control across multiple users.
- Minimize the risk of inadvertently granting excessive permissions to an individual user.
Troubleshooting Steps
If it's discovered that IAM users have been directly attached with policies instead of through a group, the following steps should be taken to remediate the issue:
1. Identify IAM Users with Directly Attached Policies
Use the AWS Management Console or CLI to list all IAM users and check for any directly attached policies.
CLI Command:
aws iam list-users --query 'Users[].UserName' | tee users.txt for user in $(cat users.txt | jq -r ".[]"); do aws iam list-attached-user-policies --user-name "$user" done
2. Create or Identify IAM Groups with Appropriate Permissions
Before reassigning permissions, identify or create IAM groups that reflect the roles and responsibilities within your organization.
CLI Command to Create a New IAM Group:
aws iam create-group --group-name YourGroupName
CLI Command to Attach a Policy to the Group:
aws iam attach-group-policy --group-name YourGroupName --policy-arn arn:aws:iam::aws:policy/YourPolicyName
3. Add Users to the Identified or Newly Created IAM Groups
Users should be added to the appropriate groups that have the necessary permissions.
CLI Command to Add a User to a Group:
aws iam add-user-to-group --group-name YourGroupName --user-name UserName
4. Remove Directly Attached Policies from IAM Users
After the necessary groups are in place and users have been added, directly attached policies should be removed from the individual IAM users.
CLI Command to Detach a Policy from a User:
aws iam detach-user-policy --user-name UserName --policy-arn arn:aws:iam::aws:policy/YourPolicyName
Step by Step Guide for Remediation
- 1.
List IAM Users: Start by listing all IAM users within your AWS account.
- 2.
Audit Users: Review each user to identify directly attached permissions.
- 3.
Create IAM Groups: If not already in place, create IAM groups corresponding to different roles required by your organization.
- 4.
Assign Group Policies: Determine the minimum necessary permissions for each role and attach policies to the groups.
- 5.
Add Users to Groups: Move each user into one or more groups that match their role(s).
- 6.
Remove Direct Policies: Once users are part of groups, proceed to remove any directly attached policies.
By following these steps systematically, you will align with the CIS benchmark and create a more secure and manageable permission structure in your AWS environment.
Conclusion
Adhering to the CIS Benchmark and applying permissions solely through groups is crucial for a secure and standardized AWS environment. Regularly audit your IAM policies and adjust as necessary to ensure compliance and minimize potential security risks.