Description:
This policy ensures that logical user access is revoked upon termination. This is important for security, as it helps to prevent unauthorized access to AWS resources after a user has been terminated.
Rationale:
When a user is terminated, their IAM user account is deleted. However, if the user had been granted permissions to AWS resources, those permissions will still be in effect. This means that a terminated user could still access AWS resources, even though they are no longer employed by the organization.
Impact:
The impact of ensuring that logical user access is revoked upon termination will vary depending on the specific organization. However, in general, this policy will help to improve the security of the organization's AWS resources and reduce the risk of unauthorized access.
Default Value:
AWS will initially recommend that organizations revoke logical user access upon termination. However, the specific implementation of this policy will vary depending on the organization's specific needs.
Pre-requisites:
To ensure that logical user access is revoked upon termination, the following pre-requisites must be met:
- The organization must have an AWS account.
- The organization must have the appropriate permissions to manage IAM users.
- The organization must have a process for revoking logical user access upon termination.
Remediation Steps:
If logical user access is not being revoked upon termination, the organization must take steps to remediate the issue. The remediation steps will vary depending on the specific situation.
Test Plan:
The organization should develop a test plan to verify that logical user access is being revoked upon termination. The test plan should include steps to verify that the revocation process is working properly, and that all terminated users have had their access revoked.
Implementation Plan:
The organization should develop an implementation plan to ensure that logical user access is revoked upon termination. The implementation plan should include steps to develop a process for revoking logical user access upon termination, and to train employees on the process.
AWS CLI Process:
To revoke logical user access upon termination using the AWS CLI, the following command can be used:
aws iam detach-user-policy --user-name <user-name> --policy-arn <policy-arn>
This command will detach the specified policy from the specified user.
Using AWS GUI:
To revoke logical user access upon termination using the AWS GUI, the following steps can be followed:
- Go to the AWS IAM console.
- Click on the "Users" tab.
- Click on the name of the user that you want to revoke access from.
- Click on the "Permissions" tab.
- Click on the "Detach Policy" button.
- Select the policy that you want to detach.
- Click on the "Detach Policy" button.
Backout Plan:
If the policy to ensure that logical user access is revoked upon termination is not working properly, the organization may need to back out of the policy. To do this, the organization can re-attach the policy to the user.
Note:
- This policy is not intended to be a comprehensive guide to revoking logical user access upon termination. For more information, please refer to the AWS IAM documentation.
- This policy is subject to change.
Reference:
- AWS IAM documentation: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
Section 2:
- Tags and Keywords: IAM, users, access, termination, least privilege