Profile Applicability

  • Level 1

Description:

Granting IAM users permissions through individual user policies can lead to inconsistent access management and increased administrative overhead. The best practice is to assign permissions to users through groups rather than directly attaching policies to individual users. By using groups, you can manage permissions centrally, making it easier to enforce consistent access control policies across users with similar job roles or responsibilities.

This approach simplifies access management by grouping users according to their permissions, ensuring that access is consistent and easier to audit. Ensuring that IAM users receive permissions only through groups improves security and minimizes the risk of improper access.

Rationale:

Granting permissions through IAM groups provides the following benefits:

  • Centralized management: Simplifies user permission management by allowing you to assign permissions to groups rather than individual users.

  • Consistency: Ensures that users with similar job functions or responsibilities receive the same permissions, reducing the risk of errors.

  • Least privilege: Makes it easier to assign and monitor permissions to ensure users only have the permissions they need.

  • Scalability: As new users join, you can quickly add them to the appropriate group, ensuring that their permissions are automatically aligned with organizational policies.

Without using groups, managing user permissions becomes more complex, leading to potential misconfigurations or inconsistent access control.

Impact:

Failure to assign permissions through groups can result in:

  • Inconsistent access management: Direct user permissions can be harder to track, leading to misconfigurations and unintended access.

  • Increased administrative overhead: Managing individual user permissions is more time-consuming than managing permissions through groups.

  • Security risks: Without centralized group management, users may be assigned permissions that exceed their job requirements, violating the principle of least privilege.

  • Non-compliance: Violations of best practices and security standards that require controlled and consistent access to AWS resources.

By assigning permissions through groups, access control is streamlined, secure, and easier to maintain.

Default Value:

By default, IAM users can have permissions directly attached to them, either via policies or managed roles. However, organizations are encouraged to create IAM groups and assign permissions to users via these groups.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • iam:ListUsers

    • iam:ListGroups

    • iam:AttachUserPolicy

    • iam:CreateGroup

    • iam:AddUserToGroup

  • IAM roles and groups must be configured and available for user assignment

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the IAM Console.

  2. Check if IAM users have policies directly attached to them by reviewing the Users section.

  3. Ensure that all users receive their permissions through groups by assigning them to appropriate groups and removing any direct user policies.

Using AWS CLI :

aws iam list-attached-user-policies --user-name <username> --query "AttachedPolicies" --output table

To check which groups users belong to:

aws iam list-groups-for-user --user-name <username> --query "Groups" --output table
Implementation Plan:

Using AWS Console:

  1. Assign IAM users to groups:

    • Go to the IAM Console.

    • In the Users section, select the user to modify.

    • Under the Groups tab, click Add user to group and select the appropriate group for the user.

    • Remove any direct permissions from the individual user.

  2. Verify group-based permissions:

    • Ensure that users are only receiving their permissions through their respective groups.

Using AWS CLI:

  1. Create an IAM group (if necessary):

aws iam create-group --group-name <group-name>

  1. Add IAM users to groups:

aws iam add-user-to-group --user-name <username> --group-name <group-name>

  1. Verify the group's permissions:

aws iam list-attached-group-policies --group-name <group-name> --query "AttachedPolicies" --output table


Backout Plan:

Using AWS Console:

  1. If assigning users to groups causes issues with permissions:

    • Go to the IAM Console.

    • Remove users from groups and assign direct permissions if necessary (though not recommended).

    • Recheck the permissions to ensure they match organizational requirements.

  2. Revert permissions by reassigning them individually if needed:

    • Attach policies directly to users for specific use cases if necessary.

Using AWS CLI:

  1. Remove users from groups:

aws iam remove-user-from-group --user-name <username> --group-name <group-name>


  1. Revert to direct user policies if group assignment causes issues:

aws iam attach-user-policy --user-name <username> --policy-arn arn:aws:iam::aws:policy/<policy-name>

  1. Re-enable group-based permissions once issues are resolved:

aws iam add-user-to-group --user-name <username> --group-name <group-name>


References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services