Description:
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.
Rationale:
Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.
Impact:
IAM policy only through groups unifies permissions management.
Default Value:
N/A
Pre-Requisite:
Have IAM user and group
Remediation:
Test Plan:
AWS Console Process
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
In the left navigation pane select users.
- In the users list you can see that users are assigned to any groups.
Using AWS CLI
Perform the following to determine if an inline policy is set or a policy is directly attached to users:
Run the following to get a list of IAM users:
aws iam list-users --query 'Users[*].UserName' --output text
For each user returned, run the following command to determine if any policies are attached to them:
aws iam list-attached-user-policies --user-name <iam_user> aws iam list-user-policies --user-name <iam_user>
If any policies are returned, the user has an inline policy or direct policy attachment.
Implementation PlanSign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, click user groups and then click create group.
- In the Group Name box, type the name of the group.
- Scroll down to add users to the group section and select the required user to add.
Attach the required permissions policies to the group.
- Click on create group.
Perform the following to remove a direct association between a user and policy:Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
In the left navigation pane, click on Users.
For each user:
Select the user, click on the Permissions tab, Expand Permissions policies.
Click X for each policy which are not attached from group.
click Detach or Remove (depending on policy type).
Using AWS CLI
The following
add-user-to-group
command adds an IAM user namedBob
to the IAM group namedAdmins
:aws iam add-user-to-group --user-name Bob --group-name Admins
This example removes the managed policy with the ARN
arn:aws:iam::123456789012:policy/TesterPolicy
from the userBob
:aws iam detach-user-policy --user-name Bob --policy-arn arn:aws:iam::123456789012:policy/TesterPolicy
Using AWS CLIBackout Plan:
AWS Console Process
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, click user groups.
Select the desired group and click on delete.
- Type the group name to confirm deletion and click on delete.
The following
delete-group
command deletes an IAM group namedMyTestGroup
:
aws iam delete-group --group-name MyTestGroup
Reference:
iam — AWS CLI 1.27.30 Command Reference (amazon.com)
Managed policies and inline policies - AWS Identity and Access Management (amazon.com)