Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

IAM Users in at Least One Group Rule

Explains the requirement for IAM users to be part of at least one group.

RuleIAM users should be in at least one group
FrameworkNIST 800-171 Revision 2
Severity
High

Rule Description:

According to the NIST 800-171 Revision 2 standard, IAM (Identity and Access Management) users should be assigned to at least one group. A group provides a convenient way to manage and assign permissions to multiple IAM users simultaneously, simplifying the management of user access across an organization's resources and services.

Policy Details:

To adhere to the NIST 800-171 Revision 2 standard, implement the following policy:

  2. 1.
    All IAM users must be assigned to at least one group.
  4. 2.
    Creating and managing individual user permissions should be minimized, and group-based permissions should be favored.
  6. 3.
    Ensure that IAM groups are appropriately organized and named to represent the roles and responsibilities of their members within the organization.
  8. 4.
    Regularly review and update group memberships as users' roles and permissions change within the organization.

Troubleshooting Steps:

If an IAM user is not part of any group, the following troubleshooting steps can be taken:

  2. 1.
    Identify the user who is not assigned to any group.
  4. 2.
    Verify if the user's role requires group-based permissions.
  6. 3.
    Check if any existing groups are suitable for this user's role and responsibilities.
  8. 4.
    If no appropriate group exists, create a new group and assign the user to it.
  10. 5.
    Ensure that the user's group membership is updated in the IAM console or via API calls.

Necessary Codes:

To enforce this policy, the following code snippets can be utilized:

  2. 1.
    AWS CLI Command to list all IAM users not assigned to any group:
aws iam list-users --query "Users[?not_null(Groups)][].{Username:UserName, Groups:Groups}"

This command will list all IAM users along with their groups. Users without any group will not be displayed.

  2. 1.
    AWS CLI Command to add a user to a group:
aws iam add-user-to-group --user-name <user-name> --group-name <group-name>

Replace 

<user-name>
with the username of the user and 
<group-name>
with the name of the target group.

Remediation Steps:

To remediate the issue and ensure compliance with the policy:

  2. 1.
    Identify the IAM users who are not currently assigned to any group using the AWS CLI command mentioned above.
  4. 2.
    Review the role and responsibilities of each user.
  6. 3.
    Determine the appropriate group(s) for each user based on their permissions requirements.
  8. 4.
    Add the users to the respective groups using the AWS CLI command mentioned above.
  10. 5.
    Verify that the users are now part of the assigned groups by listing the IAM users and their groups using the AWS CLI command mentioned in the necessary codes section.

By following these steps, all IAM users will be assigned to at least one group, aligning with the requirements of the NIST 800-171 Revision 2 standard.

Is your System Free of Underlying Vulnerabilities?
Find Out Now