This rule ensures that IAM users are granted permissions solely via groups.
Rule | Ensure IAM Users Receive Permissions Only Through Groups |
Framework | cis_v150 |
Severity | ✔ High |
Rule Details: Ensure IAM Users Receive Permissions Only Through Groups (cis_v150)
The given rule refers to a best practice recommendation from the Center for Internet Security (CIS) in the AWS context. Specifically, it pertains to Identity and Access Management (IAM) within AWS and states that IAM users should be assigned permissions only through their membership in IAM groups.
Why this Rule is Important
Assigning user permissions through groups helps to:
Troubleshooting Steps
If your IAM users have been given permissions outside of groups, you will need to take steps to remediate this issue.
Check for Directly Assigned Permissions
Check for Permissions Through Groups
Remediation Steps
To comply with the rule, if permissions are assigned directly, they will need to be migrated to group-based permissions.
Create or Identify Groups
Assign Users to Groups
Remove Direct Permissions
Required AWS CLI Commands
To perform these remediation steps from the Command Line Interface (CLI), the following commands can be used:
aws iam list-users
aws iam list-attached-user-policies --user-name <username>
aws iam list-groups-for-user --user-name <username>
aws iam create-group --group-name <groupname>
aws iam add-user-to-group --group-name <groupname> --user-name <username>
aws iam remove-user-from-group --group-name <groupname> --user-name <username>
aws iam detach-user-policy --user-name <username> --policy-arn <policy-arn>
aws iam delete-user-policy --user-name <username> --policy-name <policyname>
This guide is prepared with the intention of optimizing for SEO while providing precise and detailed instructions for ensuring IAM users receive permissions only through groups according to the cis_v150 benchmark. Following these steps should help organizations increase their security posture and align with established best practices.