Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Ensure IAM Users are Managed Centrally

This rule ensures IAM users are managed centrally for multi-account environments.

RuleEnsure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
Frameworkcis_v150
Severity
Medium

Ensure IAM Users Are Managed Centrally via Identity Federation or AWS Organizations

Managing IAM users centrally through identity federation or AWS Organizations helps maintain a secure and scalable multi-account AWS environment. Centralized management provides better security oversight, reduces administrative overhead, and helps enforce consistent policies across all accounts. For compliance with the Center for Internet Security (CIS) benchmarks, specifically version 1.5.0, here's a detailed description of the rule and remediation steps.

Rule Description

This rule enforces that all AWS Identity and Access Management (IAM) users should be managed centrally. Centralized management means that user identities are not created and managed individually within each AWS account but are controlled through a single identity source. This source can be either an external identity provider (IdP) that supports SAML 2.0 (such as Microsoft Active Directory Federation Services) or AWS Organizations for managing multiple AWS accounts.

Benefits of Centralized Management

  • Consistency in access control across accounts
  • Simplified management of permissions and roles
  • Easier audit and compliance checks
  • Streamlined user provisioning and de-provisioning

Troubleshooting: Common Issues and Steps

If users aren't centrally managed, it could be due to:

  • Duplicate IAM users across accounts
  • Individual IAM users created instead of federated access
  • No enablement of AWS Organizations or SSO

To troubleshoot, you need to:

  1. 1.
    Check for IAM users across accounts.
  2. 2.
    Verify if a federated identity system is linked with AWS IAM.
  3. 3.
    Ensure AWS Organizations is enabled and properly configured.

Remediation

Using Identity Federation

Step 1: Choosing an Identity Provider (IdP)

  • Ensure you have access to an external IdP, like Active Directory or an equivalent service that supports SAML 2.0.

Step 2: Configuring SAML Assertions

  • Set up SAML assertions to map IdP attributes and groups to AWS IAM roles and permissions.

Step 3: Establishing Trust Relationship

aws iam create-saml-provider --saml-metadata-document file://saml-metadata.xml --name IdP-name
  • Use the AWS CLI to create the SAML provider, replacing
    IdP-name
    and the XML document with your own details.

Step 4: Enabling Single Sign-On (SSO)

  • Use AWS SSO if available, to manage access centrally to multiple AWS accounts and applications.

Step 5: Provisioning Access

  • Assign SSO to groups in your IdP that correspond to policies in AWS IAM for seamless access management.

Using AWS Organizations

Step 1: Creating an Organization

  • Use the AWS Management Console to create an organization from the
    AWS Organizations
    console or via AWS CLI:
aws organizations create-organization --feature-set ALL

Step 2: Inviting Accounts

  • Invite existing AWS accounts or create new ones within your organization.

Step 3: Setting up Service Control Policies (SCPs)

  • Apply SCPs across your organization to enforce permissions for IAM users.

Step 4: Managing Users with AWS SSO

  • Manage user access to accounts in your organization via AWS Single Sign-On.

By following these steps, you can ensure that IAM user management aligns with CIS recommendations and improves your overall security posture. Automation with AWS CloudFormation or Terraform scripts can further streamline this process for large organizations.

Remember, implementing these best practices is not only crucial for security and compliance but it's also a sound business strategy that can bolster your organization's operational efficiency. If your organization reflects the utmost commitment to security best practices, you're more likely to inspire confidence in both your customers and employees.

Is your System Free of Underlying Vulnerabilities?
Find Out Now