Description:
This policy ensures that periodic IAM user access reviews are performed to ensure that users have only the permissions they need to do their jobs. This is important for security, as it helps to reduce the risk of unauthorized access to AWS resources.
Rationale:
IAM users can be granted a wide range of permissions, from read-only access to full administrative access. It is important to regularly review IAM user permissions to ensure that users only have the permissions they need to do their jobs. This helps to reduce the risk of unauthorized access to AWS resources, and it also helps to simplify the management of IAM permissions.
Impact:
The impact of ensuring that periodic IAM user access reviews are performed will vary depending on the specific organization. However, in general, this policy will help to improve the security of the organization's AWS resources and reduce the risk of unauthorized access.
Default Value:
AWS will initially recommend that organizations perform periodic IAM user access reviews. However, the frequency of these reviews will vary depending on the organization's risk tolerance and the sensitivity of the data that is stored in AWS.
Pre-requisites:
To ensure that periodic IAM user access reviews are performed, the following pre-requisites must be met:
- The organization must have an AWS account.
- The organization must have the appropriate permissions to manage IAM users.
- The organization must have a process for performing IAM user access reviews.
Remediation Steps:
If periodic IAM user access reviews are not being performed, the organization must take steps to remediate the issue. The remediation steps will vary depending on the specific situation.
Test Plan:
The organization should develop a test plan to verify that periodic IAM user access reviews are being performed. The test plan should include steps to verify that the reviews are being performed on a regular basis, and that the reviews are being performed effectively.
Implementation Plan:
The organization should develop an implementation plan to ensure that periodic IAM user access reviews are performed. The implementation plan should include steps to develop a process for performing IAM user access reviews, and to train employees on the process.
AWS CLI Process:
To ensure that periodic IAM user access reviews are performed using the AWS CLI, the following command can be used:
aws iam list-users
This command will list all of the IAM users in the organization. The organization can then review the permissions that have been granted to each user, and make sure that the users only have the permissions they need to do their jobs.
Using AWS GUI:
To ensure that periodic IAM user access reviews are performed using the AWS GUI, the following steps can be followed:
- Go to the AWS IAM console.
- Click on the "Users" tab.
- Click on the name of the user that you want to review.
- Click on the "Permissions" tab.
- Review the permissions that have been granted to the user.
- Make sure that the user only has the permissions they need to do their jobs.
Backout Plan:
If the policy to ensure that periodic IAM user access reviews are performed is not working properly, the organization may need to back out of the policy. To do this, the organization can stop performing IAM user access reviews.
Note:
- This policy is not intended to be a comprehensive guide to performing IAM user access reviews. For more information, please refer to the AWS IAM documentation.
- This policy is subject to change.
Reference:
- AWS IAM documentation: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
Section 2:
- Tags and Keywords: IAM, users, access, reviews, least privilege