This rule ensures that IAM users are assigned to at least one group for proper access control.
Rule | IAM users should be in at least one group |
Framework | NIST 800-53 Revision 5 |
Severity | ✔ High |
Rule Description:
IAM users should be assigned to at least one group in order to comply with the NIST 800-53 Revision 5 security standard. This rule ensures proper management and control of user access permissions and simplifies user administration by applying common permissions to groups rather than individual users.
Troubleshooting Steps:
Necessary Codes:
No specific code is required for this rule. However, you may utilize AWS CLI commands to automate the troubleshooting steps mentioned above.
Step-by-Step Remediation:
Identify IAM users without any group association:
aws iam list-users
Verify group membership:
aws iam list-groups-for-user --user-name <IAM_USER_NAME>
<IAM_USER_NAME>
with the username of each IAM user without a group association.Identify missing group associations:
aws iam add-user-to-group --user-name <IAM_USER_NAME> --group-name <GROUP_NAME>
<IAM_USER_NAME>
with the username of the IAM user.<GROUP_NAME>
with the desired group name to which the user will be added.Repeat steps 2 and 3 until all IAM users are associated with at least one group.
Conclusion:
By adhering to the NIST 800-53 Revision 5 requirement of assigning IAM users to at least one group, you ensure better control and management over user permissions in your AWS environment. Following the troubleshooting and remediation steps provided above will help you identify and address any violations of this rule.