Profile Applicability

  • Level 1

Description:

In multi-account environments, managing IAM users centrally via identity federation or AWS Organizations helps streamline access management and ensures consistent security practices across all accounts. By using identity federation (such as integrating with Active Directory or another identity provider) or AWS Organizations, organizations can centralize user management and enforce consistent policies, reducing the overhead of managing IAM users individually in each account.

This approach simplifies the administration of user access, ensures compliance with organizational security policies, and improves scalability as the number of AWS accounts grows.

Rationale:

Centralized management of IAM users provides the following benefits:

  • Simplified user access management: Users are managed in a centralized system, making it easier to handle permissions, role assignments, and access across multiple AWS accounts.

  • Consistency in security policies: Ensures that security policies are uniformly applied across all accounts.

  • Improved scalability: As the organization grows, identity federation or AWS Organizations allow for efficient management of users across multiple accounts without the need to configure each account separately.

  • Compliance: Helps meet regulatory and security requirements by ensuring that access control is applied uniformly and managed centrally.

Without centralized user management, organizations face difficulties in maintaining consistent security controls across multiple accounts, leading to potential gaps in security and compliance.

Impact:

Failure to manage IAM users centrally can result in:

  • Inconsistent access control policies across multiple AWS accounts.

  • Difficulty in scaling user access management as the organization grows.

  • Increased administrative overhead from managing IAM users individually in each account.

  • Non-compliance with best practices or regulatory standards that require centralized user management.

Centralized management ensures that access controls are consistent and easier to monitor and audit.

Default Value:

By default, IAM users are not centrally managed in AWS. IAM users are created individually within each AWS account unless integrated with AWS Organizations or a federated identity provider.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • iam:ListUsers

    • iam:ListRoles

    • organizations:ListAccounts

    • iam:AttachUserPolicy

    • iam:CreateGroup

  • AWS Organizations must be set up or identity federation (e.g., via Active Directory) must be implemented

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the AWS Organizations Console.

  2. Check if AWS Organizations is enabled and review the account structure.

  3. Verify if IAM users are being centrally managed through AWS Organizations or identity federation.

  4. Go to the IAM Console and ensure that IAM user permissions are centrally managed, and individual IAM user management is minimized across accounts.

Using AWS CLI :

aws organizations describe-organization --query "Organization" --output table

To check if users are managed centrally:

aws iam list-users --query "Users[*].UserName" --output table
Implementation Plan:

Using AWS Console:

  1. Set up AWS Organizations:

    • Go to the AWS Organizations Console.

    • Create an organization and link multiple AWS accounts under this organization to centrally manage them.

    • Use AWS Organizations policies to enforce access controls and permissions for all accounts.

  2. Enable Identity Federation (Optional):

    • Go to the IAM Console.

    • Configure federated login through an identity provider (e.g., Active Directory, Okta) to manage IAM users centrally.

    • Ensure that roles and permissions are mapped to federated users rather than creating individual IAM users.

Using AWS CLI:

  1. Set up AWS Organizations:

aws organizations create-organization --feature-set ALL

  1. Check if users are federated:

aws iam list-users --query "Users[*].UserName" --output table

  1. Configure Identity Federation:

aws iam create-saml-provider --saml-metadata-document file://saml-metadata.xml

  1. Ensure centralized user management:

aws organizations list-accounts --query "Accounts[*].{Name:Name, Id:Id}" --output table

Backout Plan:

Using AWS Console:

  1. If centralized management causes access issues:

    • Go to the AWS Organizations Console.

    • Disconnect or remove the accounts from the organization if there are configuration issues or if federated identity providers need to be reconfigured.

  2. Revert to individual IAM user management if necessary:

    • Go to the IAM Console and revert the changes made for centralized management by creating IAM users individually and adjusting permissions as needed.

Using AWS CLI:

  1. Remove accounts from AWS Organizations:

aws organizations remove-account-from-organization --account-id <account-id>

  1. Stop federated login if needed:

aws iam delete-saml-provider --saml-provider-name <provider-name>

  1. Revert back to manual IAM user management if there are issues:

aws iam create-user --user-name <user-name>

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services