Products

Solutions

Company

Book A Live Demo

Ensure IAM Users Receive Permissions Only Through Groups Rule

This rule ensures that IAM users are granted permissions solely through groups, enhancing security measures.

Rule	Ensure IAM Users Receive Permissions Only Through Groups
Framework	cis_v130
Severity	✔ Medium

Ensure IAM Users Receive Permissions Only Through Groups for cis_v130

Description

This rule refers to a security best practice from the Center for Internet Security (CIS) benchmarks version 1.3.0, specifically designed for AWS IAM (Identity and Access Management) configurations. The practice ensures that IAM users do not receive permissions directly through individual user policies but instead inherit them through membership in IAM groups. This model promotes better management of permissions and adherence to the principle of least privilege by categorizing permissions into groups with specific roles or access requirements.

Troubleshooting Steps

If there is a violation of this rule, it means that one or more IAM users have been assigned permissions directly rather than through a group. The following steps can be used to troubleshoot and correct the issue:

1.
List Users with Direct Permissions:
- Use the AWS Management Console or AWS CLI to identify any IAM users with inline policies or attached managed policies that are not delivered through groups.

2.
Review User Policies:
- Review the identified IAM user's policies to understand the permissions granted.

3.
Create or Identify Appropriate IAM Groups:
- Determine suitable groups for the users based on their functional roles within the organization.

4.
Recreate Permissions in the Groups:
- Create similar permissions to those found in the individual user policies within the respective groups.

5.
Attach Users to Their Relevant Groups:
- Add the users to the groups so that they inherit the necessary permissions.

6.
Remove Directly Attached Policies:
- Once IAM users are part of the appropriate groups, remove the directly attached user policies.

Necessary AWS CLI Commands

Here are the command-line steps to identify users with directly attached policies and to remediate the rule:

List IAM Users with Attached Policies:

aws iam list-users | \
awk '/UserName/{print $2}' | \
xargs -I {} aws iam list-attached-user-policies --user-name {} | \
grep PolicyArn

This command sequence lists all users with their attached policy ARNs.

2.
Create IAM Group with Required Permissions:
```
aws iam create-group --group-name YourGroupName
```
Replace
```
YourGroupName
```
with the desired name for the IAM group that will contain the appropriate permissions.

Attach Policy to Group:

aws iam attach-group-policy --group-name YourGroupName --policy-arn arn:aws:iam::aws:policy/PolicyName

Replace

YourGroupName

with your group's name and

PolicyName

with the relevant policy to attach to the group.

4.
Add User to Group:
```
aws iam add-user-to-group --group-name YourGroupName --user-name UserName
```
Replace
```
YourGroupName
```
with the group's name and
```
UserName
```
with the user's name.

Detach Directly Attached User Policies:

aws iam detach-user-policy --user-name UserName --policy-arn arn:aws:iam::aws:policy/PolicyName

Replace

UserName

with the user's name and

PolicyName

with the policy to be detached from the user.

6.
Remove Inline Policies:
```
aws iam delete-user-policy --user-name UserName --policy-name InlinePolicyName
```
Replace
```
UserName
```
with the user's name and
```
InlinePolicyName
```
with the inline policy to be removed.

Step by Step Guide for Remediation

Follow these steps to ensure IAM users receive permissions only through groups:

1.

Audit Current IAM Users and Policies: Utilize the necessary AWS CLI commands to list all users with their attached policies.

2.

Group Creation and Configuration: Identify the required roles and permissions, then create IAM groups aligning with each set of responsibilities.

3.

Policy Attachment: Attach the relevant policies to the newly created IAM groups, ensuring they replicate the permissions formerly assigned directly to users.

4.

User Group Association: Add IAM users to their respective newly created groups to provide them with the necessary permissions.

5.

Remove Direct Assignments: Detach any directly attached policies from the users and remove any inline policies, leaving the users with permissions solely from their group memberships.

By following these detailed descriptions and steps, you can maintain a more secure AWS IAM setup that aligns with CIS benchmarks for the segregation of privileges and streamline access management within your organization, thus enhancing overall security posture.

Ensure IAM Users Receive Permissions Only Through Groups Rule

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Description

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Necessary AWS CLI Commands

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step by Step Guide for Remediation

Is your System Free of Underlying Vulnerabilities? Find Out Now

Description

Troubleshooting Steps

Necessary AWS CLI Commands

Step by Step Guide for Remediation

Is your System Free of Underlying Vulnerabilities?
Find Out Now