Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

IAM Users Should Be in at Least One Group Rule

This rule ensures that IAM users are assigned to at least one group for proper access control.

RuleIAM users should be in at least one group
FrameworkFedRAMP Moderate Revision 4
Severity
High

Rule/Policy Description:

IAM users should be in at least one group to comply with FedRAMP Moderate Revision 4 for security and access control purposes. This rule ensures that users are assigned to appropriate groups, which helps streamline access management and enforce least privilege principles.

Troubleshooting Steps (if applicable):

If an IAM user is not assigned to any group, the following troubleshooting steps can be followed:

  2. 1.
    Verify IAM user settings: Check if the user is currently not associated with any group.
  4. 2.
    Assign the user to a group: Find the appropriate group that aligns with the user's job responsibilities and requirements. For example, if the user is responsible for managing EC2 instances, assign them to the "EC2 Management" group.
  6. 3.
    Verify group membership: Validate that the user is successfully added to the assigned group.
  8. 4.
    Test access: Ensure the IAM user can access the required resources and perform necessary actions within the assigned group's permissions.
  10. 5.
    Repeat steps for all remaining IAM users without group assignments.

Necessary Code (if applicable):

This rule does not require specific code implementation. However, the following AWS CLI command can be used to assign an IAM user to a group:

aws iam add-user-to-group --user-name <IAM_USERNAME> --group-name <GROUP_NAME>

Replace 

<IAM_USERNAME>
with the name of the IAM user to be assigned to a group, and 
<GROUP_NAME>
with the desired group name.

Step-by-Step Guide for Remediation:

To ensure compliance with FedRAMP Moderate Revision 4, follow the step-by-step guide below to assign IAM users to at least one group:

  2. 1.
    Log in to the AWS Management Console with appropriate admin credentials.
  4. 2.
    Navigate to the IAM service.
  6. 3.
    From the left-hand side menu, click on "Groups."
  8. 4.
    Click on "Create New Group" to create a new group or select an existing group from the list.
  10. 5.
    Provide a descriptive name for the group, such as "FedRAMP_Moderate_Group."
  12. 6.
    Define the appropriate group permissions or attach policies to the group based on the user's job requirements.
  14. 7.
    Once the group is created, go to the "Users" section in the IAM console.
  16. 8.
    Select the IAM user that needs to be assigned to a group.
  18. 9.
    Click on "Add user to groups."
  20. 10.
    Check the box next to the desired group(s) to which the user should be assigned.
  22. 11.
    Click the "Add to Groups" button to save the changes.
  24. 12.
    Validate that the user is now listed under the assigned group(s).
  26. 13.
    Repeat steps 8-12 for all remaining IAM users without group assignments.

By following these steps, all IAM users will be assigned to at least one group, aligning with FedRAMP Moderate Revision 4 requirements, and ensuring efficient access management and control.

Is your System Free of Underlying Vulnerabilities?
Find Out Now