Profile Applicability: Level 1


Description

You know user group is a collection of users. You can use user groups to specify permissions for a collection of users, which can make those permissions easier to manage for those users.

An IAM role is very similar to a user, in that it is an identity with permission policies that determine what the identity can and cannot do in AWS. However, a role does not have any credentials associated with it.

IAM policies mean to give privilege to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not to users. Policies let you specify who has access to AWS resources, and what actions they can perform on those resources. In other words, we can say you can use policies to control what the person making the principal is allowed to do.


Rationale

 When we give the privilege at the group or role level we try to reduce the complexity of access management as the number of users grows. Here You can create groups, attach the necessary policies for each group, then add IAM users to these groups as needed.  For improved efficiency and security, use managed policies whenever possible, attaching them to groups or roles but not to users.


Impact

These policies can make it easier to manage the permission for multiple users. Minimize the complexity to give access or permission to use resources or services to the user.


Default Value

By default, IAM users, groups, and roles have no access to AWS resources.


Pre-Requisite

  1. Log in as an Administrator to perform the below steps

  2. After auditing, if the policies are directly associated with a user then perform the implementation steps.

  3. If a User Group is not created then create an IAM user group and assign the policy to that group and then add the user to the newly created group.


Remediation:


Test Plan: 

Using AWS Console:

  1. Log in to the AWS Management Console

  2. Navigate to IAM service https://console.aws.amazon.com/iam/

  3. Click on User in the left navigation pane and check how many policies are attached individually to the users

  4. Select any user to check policies are attach to the user 

  5. In the permission tab, you can see the policy attached from the group


Using AWS CLI:

  1. Run the following to get a list of IAM users
    aws iam list-users --query ‘Users[*].UserName’ --output text

  2. For each user returned, run the following command to determine if any policies are attached to them
    aws iam list-attached-user-policies --user-name <iam user>
    aws iam list-user-policies --user-name <iam user>

  3. If any policies are returned, the user has a direct policy attachment.


Implementation Steps

Perform the following to create an IAM group and assign a policy to it:

  1. Sign in to the AWS Management Console as an Admin user and open the IAM console https://console.aws.amazon.com/iam/.
  2. Click User Groups in the left navigation pane and
  3. Then click Create Group.
  4.  Type the name of the group in the Group Name box and scroll down
  5. You can attach the policy while creating the user group or else you can also attach the policy after creating a group.
  6. Click on Create Group button at bottom of the right side 
  7. Click User Groups in the left navigation pane.
  8. Select the group to add a user 
  9. Click Add Users To Group
  10. Select the users to be added to the group and Click Add Users

Perform the following to remove directly attached policies to the user

  1. Sign in to the AWS Management Console as an Admin user and open the IAM console https://console.aws.amazon.com/iam/
  2. Click on Users in the left navigation pane.
    For each user: select user one by one and perform the below steps
  3.  Click on the Permission tab 
  4. Expand Managed Policies and Click Detach Policy for each policy
  5.  Expand Inline Policies
  6.  Click Remove Policy for each policy

Using AWS CLI:

The following create-role command creates a role named Test-Role and attaches a trust policy to it

aws iam create-role --role-name admin --assume-role-policy-document file://admin-Role-Trust-Policy.json



Backout Plan

Following steps to remove the User groups:

  1. Sign in to the AWS Management Console as an Admin user and open the IAM console https://console.aws.amazon.com/iam/.
  2. Go to the Users group in the left navigation pane
  3. Select the User group which you want to delete and click on the Delete button
  4. For confirmation enter the group name in the text field and then click on the Delete button
    Now the group has been removed from the User group table

References

  1. Controlling access to AWS resources using policies - AWS Identity and Access Management  

  2. create-role — AWS CLI 1.19.97 Command Reference 


CIS Controls:

16. Account Monitoring and Control 

Account Monitoring and Control