IAM Users in Group Rule
This rule ensures IAM users are assigned to at least one group for proper access control.
| Rule | IAM users should be in at least one group |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Description:
According to the NIST 800-53 Revision 5 security framework, all IAM (Identity and Access Management) users should be assigned to at least one group. This rule ensures proper organization, management, and control over user access within an AWS (Amazon Web Services) environment, enhancing security and compliance.
Troubleshooting:
If any IAM user is not assigned to a group, it can potentially create access control and audit issues. Here are the troubleshooting steps to rectify this problem:
- 1.Identify the IAM user(s) without group assignment.
- 2.Determine if the user(s) actually require access and should be assigned to a specific group or if they can be deactivated if not necessary.
- 3.Review the existing groups in the AWS account and ensure they are configured correctly.
- 4.Check if there is a group missing that matches the access requirements of the user(s).
- 5.Verify that the user(s) should not be associated with any existing groups before creating a new one.
Required Steps and CLI Commands:
To remediate the issue of IAM users not being assigned to groups, follow these step-by-step instructions:
- 1.
Identify the IAM user(s) without group assignment:
- Access the AWS Management Console.
- Navigate to the IAM service.
- Click on "Users" in the left-hand menu.
- Review the list of users and note down any users without group assignments.
- 2.
Determine if the user(s) require access and should be assigned to a specific group:
- Assess the role and responsibilities of the user(s) within your organization.
- Consult with the user(s)' supervisor or department head to determine their access requirements.
- If the user(s) do not need access, consider deactivating their IAM accounts.
- 3.
Review the existing groups in the AWS account:
- In the IAM service console, click on "Groups" in the left-hand menu.
- Explore the list of existing groups.
- Ensure that the groups are appropriately named and aligned with access control policies.
- 4.
Check if there is a group missing:
- Based on the user(s)' access requirements, determine if there is an existing group that matches their needs.
- If a suitable group exists, proceed to the next step for assigning the user(s) to that group.
- If not, continue to create a new group.
- 5.
Verify that the user(s) should not be associated with any existing groups:
- Select the user(s) that require a group assignment.
- Click on the "User Actions" dropdown and choose "Add user to group".
- A dialog box will appear displaying the available groups.
- Ensure none of the existing groups appropriately match the user(s)' access requirements before proceeding.
- 6.
Create a new group (if required):
- In the IAM service console, click on "Groups" in the left-hand menu.
- Click on "Create New Group".
- Provide a meaningful name and description for the group based on the access requirements of the user(s).
- Proceed to grant necessary permissions and policies to the group that align with the user(s)' responsibilities.
- 7.
Assign user(s) to the created or existing group:
- Select the user(s) that require group assignment.
- Click on the "User Actions" dropdown and choose "Add user to group".
- In the dialog box, select the appropriate group and click "Add to group".
Conclusion:
By following the above instructions, you can ensure that all IAM users in your AWS environment are associated with at least one group as per the NIST 800-53 Revision 5 requirements. This not only helps in maintaining a well-organized access control structure but also improves security and compliance within your AWS account.