Ensure IAM Users Receive Permissions Only Through Groups Rule
This rule ensures that IAM users are granted permissions solely via groups.
| Rule | Ensure IAM Users Receive Permissions Only Through Groups |
| Framework | cis_v150 |
| Severity | ✔ High |
Rule Details: Ensure IAM Users Receive Permissions Only Through Groups (cis_v150)
The given rule refers to a best practice recommendation from the Center for Internet Security (CIS) in the AWS context. Specifically, it pertains to Identity and Access Management (IAM) within AWS and states that IAM users should be assigned permissions only through their membership in IAM groups.
Why this Rule is Important
Assigning user permissions through groups helps to:
- Streamline the management of permissions as users' roles change.
- Ensure consistent access levels across users with similar responsibilities.
- Simplify the audit of permissions by reducing the complexity linked to individual users.
- Follow the principle of least privilege more effectively.
Troubleshooting Steps
If your IAM users have been given permissions outside of groups, you will need to take steps to remediate this issue.
Check for Directly Assigned Permissions
- 1.Sign in to the AWS Management Console.
- 2.Navigate to the IAM dashboard.
- 3.Select „Users“.
- 4.Click on an individual user to see their permissions.
- 5.Under the „Permissions“ tab, check if the user has any inline policies or managed policies attached directly to them.
Check for Permissions Through Groups
- 1.Still in the user's permissions overview, check if they are part of any groups.
- 2.Click each group to view its permissions.
Remediation Steps
To comply with the rule, if permissions are assigned directly, they will need to be migrated to group-based permissions.
Create or Identify Groups
- 1.Determine appropriate groupings for your users based on job function or role.
- 2.Create IAM groups corresponding to these functions if they don´t yet exist.
Assign Users to Groups
- 1.In the IAM dashboard, select „Groups“.
- 2.Choose a group and click „Add Users to Group“.
- 3.Select the users that should inherit the permissions from this group.
Remove Direct Permissions
- 1.Go back to the user's permission page.
- 2.Detach directly attached managed policies.
- 3.Delete any inline policies present.
Required AWS CLI Commands
To perform these remediation steps from the Command Line Interface (CLI), the following commands can be used:
- 1.List IAM users:
aws iam list-users - 2.Check direct policies attached to a user:
aws iam list-attached-user-policies --user-name <username> - 3.Check groups a user is in:
aws iam list-groups-for-user --user-name <username> - 4.Create a new IAM group:
aws iam create-group --group-name <groupname> - 5.Add a user to a group:
aws iam add-user-to-group --group-name <groupname> --user-name <username> - 6.Remove a user from a group:
aws iam remove-user-from-group --group-name <groupname> --user-name <username> - 7.Detach a managed policy from a user:
aws iam detach-user-policy --user-name <username> --policy-arn <policy-arn> - 8.Delete a user's inline policy:
aws iam delete-user-policy --user-name <username> --policy-name <policyname>
This guide is prepared with the intention of optimizing for SEO while providing precise and detailed instructions for ensuring IAM users receive permissions only through groups according to the cis_v150 benchmark. Following these steps should help organizations increase their security posture and align with established best practices.