Description:

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.

Rationale:

Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.

Impact:

 IAM policy only through groups unifies permissions management.

Default Value: 

N/A

Pre-Requisite:

Have IAM user and group

Remediation:

Test Plan:

  • AWS Console Process

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/

  2. In the left navigation pane select users. 

  3. In the users list you can see that users are assigned to any groups.  

Using AWS CLI

Perform the following to determine if an inline policy is set or a policy is directly attached to users: 

  • Run the following to get a list of IAM users:

    aws iam list-users --query 'Users[*].UserName' --output text
  • For each user returned, run the following command to determine if any policies are attached to them: 

    aws iam list-attached-user-policies --user-name <iam_user>
        aws iam list-user-policies --user-name <iam_user>
  • If any policies are returned, the user has an inline policy or direct policy attachment.

    Implementation Plan

    1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/

    2. In the navigation pane, click user groups and then click create group.

    3. In the Group Name box, type the name of the group.
    4. Scroll down to add users to the group section and select the required user to add. 
    5. Attach the required permissions policies to the group.  

    6. Click on create group.


      Perform the following to remove a direct association between a user and policy:
      1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/

      2. In the left navigation pane, click on Users.

      3. For each user: 

      4. Select the user, click on the Permissions tab, Expand Permissions policies.

      5. Click X for each policy which are not attached from group.

      6.  click Detach or Remove (depending on policy type).


    Using AWS CLI


    The following add-user-to-group command adds an IAM user named Bob to the IAM group named Admins: 

    aws iam add-user-to-group --user-name Bob --group-name Admins

    This example removes the managed policy with the ARN arn:aws:iam::123456789012:policy/TesterPolicy from the user Bob: 

    aws iam detach-user-policy --user-name Bob --policy-arn arn:aws:iam::123456789012:policy/TesterPolicy

    Backout Plan:

    • AWS Console Process

    1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/

    2. In the navigation pane, click user groups. 

    3. Select the desired group and click on delete.  

    4. Type the group name to confirm deletion and click on delete. 
    Using AWS CLI

  • The following delete-group command deletes an IAM group named MyTestGroup:


aws iam delete-group --group-name MyTestGroup

Reference:

iam — AWS CLI 1.27.30 Command Reference (amazon.com)

Managed policies and inline policies - AWS Identity and Access Management (amazon.com)