Profile Applicability:
Level 2
Description:
For multi-account AWS environments, IAM users should be centrally managed either through:
Identity Federation (e.g., AWS IAM Identity Center, Okta, Microsoft Entra ID, or custom SAML providers).
AWS Organizations (using centralized IAM roles instead of standalone IAM users in child accounts).
Rationale:
Reduces IAM complexity, making user access management easier.
Improves security by preventing duplicate user accounts across AWS accounts.
Simplifies auditing and compliance by centralizing IAM activity logs.
Aligns with best practices from CIS, NIST, and ISO 27001 for secure identity management.
Impact:
Eliminating standalone IAM users in AWS accounts may disrupt access if not properly planned.
Requires integration with an external identity provider (IdP) for single sign-on (SSO).
AWS Organizations must be properly set up to prevent IAM user sprawl.
Default Value:
By default:
AWS does not enforce centralized IAM user management.
AWS accounts can create individual IAM users, leading to fragmented identity management.
Pre-Requisites:
IAM Administrator or AWS Organizations Admin Access
Permissions: iam:ListUsers, organizations:DescribeOrganization, sso:GetApplicationAccess
AWS Organizations Setup
Ensure your AWS accounts are linked under a master (management) account.
Identity Provider (IdP) Integration (Optional)
Supported providers: AWS IAM Identity Center, Okta, Microsoft Entra ID (Azure AD), Google Workspace, Ping Identity, etc.
AWS IAM Identity Center Enabled (for role-based access across accounts).
Remediation:
Test Plan:
Using AWS console
Login to AWS Console as an IAM Administrator.
Open AWS Organizations Console → Verify that all accounts are linked.
Ensure IAM policies restrict IAM user creation in child account
Using Identity Federation (SSO)
Login to AWS Console as the Identity Federation Master Account.
Navigate to IAM Console → Click Identity Providers.
Verify the IdP Configuration (SAML, OIDC, or AWS IAM Identity Center).
Ensure no IAM users exist in child accounts.
Using AWS Command Line
- Check for IAM Users in AWS Accounts : List all IAM users in the AWS account:
aws iam list-users --query 'Users[*].UserName' --output table
- If any individual IAM users exist, they must be migrated to IAM roles or SSO access.
- Check for AWS Organizations Status : Check if AWS Organizations is enabled:
aws organizations describe-organization
- If AWS Organizations is not enabled, IAM users must be managed per account.
- Check If IAM Identity Center Is Enabled: Verify if IAM Identity Center (AWS SSO) is active:
aws sso-admin list-instances
If IAM Identity Center is not listed, configure it for centralized IAM user access.
Implementation Steps:
Step 1: Enable AWS Organizations for Centralized IAM Management
Login to AWS Console as an AWS Organizations Administrator.
Open AWS Organizations Console → Click Enable AWS Organizations.
Add all AWS accounts to the Organization.
Step 2: Enable IAM Identity Center (AWS SSO) for Centralized Login
Open IAM Console → Click IAM Identity Center.
Click Enable IAM Identity Center.
Integrate with an external identity provider (IdP) (Okta, Entra ID, etc.).
Create permission sets and assign IAM roles for AWS accounts.
Step 3: Remove IAM Users from AWS Accounts
Identify IAM users that are not service accounts.
Migrate users to IAM roles or AWS SSO.
Delete unnecessary IAM users:
aws iam delete-user --user-name <user-name>
Ensure IAM policies prevent new IAM users:
{
"Effect": "Deny",
"Action": "iam:CreateUser",
"Resource": "*"
}Backout Plan:
If IAM users were mistakenly deleted:
Recreate the user in IAM:
aws iam create-user --user-name <user-name>
Manually restore policies for deleted users.
Ensure AWS Organizations and Identity Federation configurations are working before enforcing policies.
References:
AWS Organizations Best Practices: AWS Docs
AWS IAM Identity Center Setup: AWS Docs
Enforcing IAM Identity Federation: AWS Security Blog