Profile Applicability:
• Level 2
Description:
Creating IAM users allows administrators to provide individuals with access to AWS resources while enforcing the principle of least privilege. Each IAM user can have specific permissions attached to their account, defining which AWS resources they can access and which actions they can perform.
Rationale:
Creating individual IAM users ensures that each person or system interacting with AWS resources has a unique identity. This allows for precise access control, auditing, and accountability. By configuring proper permissions, organizations can ensure that users only have the necessary access required for their job functions, thus reducing the risk of unauthorized actions or breaches.
Impact:
Pros:
Provides granular control over user access to AWS resources
Enables auditing and tracking of user activities
Reduces risk of unauthorized access and actions by limiting permissions
Enhances security by using strong authentication methods like MFA
Cons:
Requires careful management to ensure that permissions are not overly permissive
Misconfigured IAM users can lead to access issues or security gaps
Increased overhead for managing large numbers of users and permissions
Default Value:
AWS does not create IAM users automatically. Users must be manually created and configured with appropriate permissions.
Pre-requisites:
IAM permissions to create and manage IAM users (e.g., iam:CreateUser, iam:AttachUserPolicy)
Defined role-based access policies and permissions for the user
Consideration for MFA (Multi-Factor Authentication) for user accounts requiring higher security levels
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console
Navigate to IAM > Users
Verify that IAM users are created for all individuals requiring AWS access
Ensure that each user has the necessary permissions based on their role and the principle of least privilege
Check that MFA is enabled for high-privilege users
Confirm that no IAM users have overly permissive policies or access to sensitive resources unless absolutely necessary
Using AWS CLI:
List all IAM users:
aws iam list-users
Describe a specific IAM user:
aws iam get-user --user-name <username>
Verify user permissions:
aws iam list-attached-user-policies --user-name <username>
Implementation Plan:
Using AWS Console:
Sign in to the AWS Management Console
Navigate to IAM > Users
Click Add User
Provide a User Name
Select the type of access the user will have (e.g., programmatic access for API, CLI, or AWS Management Console access)
Set Permissions:
Attach existing policies directly (e.g., AdministratorAccess, ReadOnlyAccess, or custom policies)
Create and assign new policies if necessary
Enable MFA for high-privilege users to enhance security
Review and click Create User
Save the user credentials (Access Key, Secret Key, or Console login information) securely
Using AWS CLI:
Create a new IAM user:
aws iam create-user --user-name <username>
Assign permissions to the IAM user (e.g., attach a managed policy):
aws iam attach-user-policy --user-name <username> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
Enable MFA for the IAM user (optional, but recommended for high-privilege accounts):
aws iam enable-mfa-device --user-name <username> --serial-number <mfa-device-arn> --authentication-code1 <code1> --authentication-code2 <code2>
Create the user’s login credentials or access keys if required:
aws iam create-access-key --user-name <username>
Backout Plan:
Using AWS Console:
Navigate to IAM > Users
Select the user to delete
Click Delete from the Actions menu
Confirm the deletion of the IAM user
Ensure that any associated resources (e.g., access keys, permissions) are properly revoked before deletion
Using AWS CLI:
Delete an IAM user:
aws iam delete-user --user-name <username>
If the user has access keys, delete them first:
aws iam list-access-keys --user-name <username> aws iam delete-access-key --user-name <username> --access-key-id <access-key-id>