iCompaas Support

Profile Applicability:

• Level 2

Description:

IAM (Identity and Access Management) is an AWS service that enables you to manage user access to AWS resources securely. Console access refers to the ability of IAM users to log in to the AWS Management Console, a web-based interface for managing AWS services. If IAM users no longer require console access, it should be disabled to reduce security risks and ensure that only necessary users have access.

Rationale:

Disabling unused user console access ensures that inactive or unnecessary accounts cannot access the AWS Management Console, reducing the attack surface and minimizing the risk of unauthorized access. This practice aligns with security best practices, such as the principle of least privilege, and helps prevent unnecessary exposure of AWS resources.

Impact:

If unused user console access is not disabled:

• Users may retain access to the AWS Management Console without a valid need.

• Inactive employees may gain unauthorized access to sensitive resources.

• Increases the risk of accidental or malicious modifications to the AWS environment.

Default Value:

By default, IAM users can be granted or revoked console access. However, console access should be periodically reviewed, and unnecessary access should be disabled to maintain a secure environment.

Pre-requisites:

• Access to AWS Management Console or AWS CLI with sufficient IAM permissions.

• Familiarity with IAM user management and AWS security best practices.

• Knowledge of the principle of least privilege and how to manage user access effectively.

Remediation:

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to Users in  AWS IAM console.

3. Review the list of IAM users to check which users have console access enabled.

4. For each user, check the Security credentials tab to verify whether the Console access is enabled.

5. If the user no longer needs console access,Click on Manage Console access and select disable console access, then Console access is disabled.

Using AWS CLI:

1. List all IAM users using the following command:
   

   aws iam list-users

2. For each IAM user, run the following command to check if console access is enabled:
   

   aws iam get-user --user-name <USER_NAME>

3. Look for the ConsoleAccess property to verify whether it is enabled,If the user no longer needs console access, disable it using the following command:
   

   aws iam update-login-profile --user-name <USER_NAME> --no-password

Implementation Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to Users in  AWS IAM console..

3. Review each user’s Security credentials tab.

4. If the user no longer needs console access,Click on Manage Console access and select disable console access, then Console access is disabled.

Using AWS CLI:

1. List all IAM users using
   

   aws iam list-users.

2. For each user, retrieve their details using
   

   aws iam get-user --user-name <USER_NAME>.

3. Disable console access for users who no longer need it using the
   

   aws iam update-login-profile --user-name <USER_NAME> --no-password command.

4. Record all changes and monitor for compliance.

Backout Plan: 

Using AWS Console:

1. If disabling console access causes issues for legitimate users, you can restore access by creating a new login profile.

2. In the IAM Console, go to the User’s Security Credentials tab and click Create Password to allow console access again.

3. Save the password and ensure that the user can log in using their new credentials.

Using AWS CLI:

1. To restore console access for a user, run the following command:
   

   aws iam create-login-profile --user-name <USER_NAME> --password <NEW_PASSWORD>

2. Verify that the user has access:
   

   aws iam get-login-profile --user-name <USER_NAME>

Reference:

• AWS IAM: Managing User Login Profiles

• AWS CLI: delete-login-profile

• AWS CLI: get-login-profile

CIS Controls: