Cloud Defense Logo

Products

Solutions

Company

Rule: IAM Users Should Be in at Least One Group

This rule ensures that IAM users are assigned to at least one group for proper access control.

RuleIAM users should be in at least one group
FrameworkNIST 800-53 Revision 5
Severity
High

Rule Description:

IAM users should be assigned to at least one group in order to comply with the NIST 800-53 Revision 5 security standard. This rule ensures proper management and control of user access permissions and simplifies user administration by applying common permissions to groups rather than individual users.

Troubleshooting Steps:

  1. 1.
    Identify IAM users without any group association: Use AWS Command Line Interface (CLI) or AWS Management Console to list all IAM users and their associated groups.
  2. 2.
    Verify group membership: Check if each IAM user has been assigned to at least one group by reviewing the group membership of each user.
  3. 3.
    Identify missing group associations: Determine which IAM users are not part of any group and need to be included in a group.

Necessary Codes:

No specific code is required for this rule. However, you may utilize AWS CLI commands to automate the troubleshooting steps mentioned above.

Step-by-Step Remediation:

  1. 1.

    Identify IAM users without any group association:

    • CLI Command:
      aws iam list-users
    • Guide:
      • Open a terminal or command prompt.
      • Execute the above CLI command to list all IAM users.
  2. 2.

    Verify group membership:

    • CLI Command:
      aws iam list-groups-for-user --user-name <IAM_USER_NAME>
    • Guide:
      • Replace
        <IAM_USER_NAME>
        with the username of each IAM user without a group association.
      • Execute the above CLI command for each IAM user to list their assigned groups.
      • Verify if the output displays at least one group for each user.
  3. 3.

    Identify missing group associations:

    • If any IAM user is not part of any group, follow these steps to assign them to a group:
      • CLI Command:
        aws iam add-user-to-group --user-name <IAM_USER_NAME> --group-name <GROUP_NAME>
      • Guide:
        • Replace
          <IAM_USER_NAME>
          with the username of the IAM user.
        • Replace
          <GROUP_NAME>
          with the desired group name to which the user will be added.
        • Execute the above CLI command to add the user to the specified group.
  4. 4.

    Repeat steps 2 and 3 until all IAM users are associated with at least one group.

Conclusion:

By adhering to the NIST 800-53 Revision 5 requirement of assigning IAM users to at least one group, you ensure better control and management over user permissions in your AWS environment. Following the troubleshooting and remediation steps provided above will help you identify and address any violations of this rule.

Is your System Free of Underlying Vulnerabilities?
Find Out Now