Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: IAM Users Should Be in at Least One Group

This rule ensures that IAM users are assigned to at least one group for proper access control.

RuleIAM users should be in at least one group
FrameworkNIST 800-171 Revision 2
Severity
High

IAM Rule: Users should be in at least one group for NIST 800-171 Revision 2

Description

According to NIST 800-171 Revision 2, it is recommended to organize IAM users into groups to efficiently manage access permissions and security policies. This rule ensures that all IAM users within an AWS account are assigned to at least one group. By properly configuring user groups, you can enforce security controls and restrict access to sensitive resources, reducing the risk of unauthorized access and potential exposure of sensitive data.

Troubleshooting Steps

If any IAM user is not assigned to a group, follow these troubleshooting steps to remediate the issue:

  1. 1.
    Identify the IAM user not assigned to a group.
  2. 2.
    Determine the permissions and access required for the user.
  3. 3.
    Create a new group or identify an existing group that aligns with the user's permissions and access needs.
  4. 4.
    Add the user to the appropriate group.

Necessary Codes

There are no specific codes required for this rule as it focuses on the configuration and assignment of IAM users to groups. However, you may need to utilize AWS CLI commands for troubleshooting and remediation.

Step-by-Step Guide for Remediation

Follow the steps below to ensure that all IAM users are assigned to at least one group:

  1. 1.
    Sign in to the AWS Management Console.
  2. 2.
    Open the IAM service.
  3. 3.
    In the left navigation pane, click on "Users" to display a list of all IAM users in the account.
  4. 4.
    Identify the user(s) not assigned to a group.
  5. 5.
    Make a note of the required permissions and access for each user.
  6. 6.
    Click on "Groups" in the left navigation pane to view the list of existing groups.
  7. 7.
    Either select an existing group or create a new group that aligns with the user's permissions and access needs.
    • To create a new group, click on the "Create New Group" button.
    • Provide a meaningful group name and attach appropriate policies to the group, specifying the necessary permissions.
    • Click on "Create Group" to save the group configuration.
  8. 8.
    Return to the "Users" section and select the user(s) not assigned to a group.
  9. 9.
    Click on the "Add user to group" button at the top of the user's summary page.
  10. 10.
    Select the appropriate group from the list and click on "Add to Groups" to assign the user to the group.
  11. 11.
    Confirm that the user is now assigned to at least one group by checking the group column in the "Users" list.
  12. 12.
    Repeat this process for any additional users not assigned to a group.
  13. 13.
    Once all users are assigned to at least one group, the remediation process is complete.

It is essential to regularly review and update group memberships as user permissions or access requirements change over time.

Is your System Free of Underlying Vulnerabilities?
Find Out Now