IAM Groups Should Have at Least One User Rule
This rule ensures that IAM groups have a minimum of one user assigned to them.
| Rule | IAM groups should have at least one user |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
Rule Description
This rule is based on the NIST 800-171 Revision 2 compliance standard and requires that all IAM (Identity and Access Management) groups in an organization must have at least one user assigned to them. IAM groups are used to manage and control user access to various resources within an organization's AWS (Amazon Web Services) account.
Reason for the Rule
Having at least one user assigned to each IAM group ensures proper access management and control within an organization's AWS account. It helps organizations adhere to compliance standards such as the NIST 800-171 Revision 2, which focuses on protecting Controlled Unclassified Information (CUI).
Troubleshooting Steps
If the IAM group does not have any users assigned to it, the following troubleshooting steps can be followed:
- 1.
Identify the IAM group(s) without any users: Use the AWS Management Console or AWS CLI (Command Line Interface) to list all IAM groups and check for any groups without assigned users.
# AWS CLI Command aws iam list-groups - 2.
Assign a user to the IAM group: Identify an appropriate user who requires access to the resources associated with the IAM group. Add the user to the IAM group using the AWS Management Console or AWS CLI.
# AWS CLI Command aws iam add-user-to-group --group-name <IAM Group Name> --user-name <User Name> - 3.
Verify the user's access: Ensure that the assigned user can access the resources associated with the IAM group. Perform necessary tests and validations to confirm proper access.
Necessary Codes
No specific codes are needed to enforce this rule. However, the following AWS CLI command can be used to list all IAM groups and their assigned users for verification or auditing purposes:
# AWS CLI Command aws iam get-group --group-name <IAM Group Name>
Step-by-Step Guide for Remediation
Follow these steps to remediate the rule violation by assigning at least one user to the IAM group:
- 1.
Log in to the AWS Management Console or open a terminal to use the AWS CLI.
- 2.
Identify the IAM group without any assigned users.
- 3.
Choose or identify an appropriate user who requires access to the resources associated with the IAM group.
- 4.
Assign the user to the IAM group using the following AWS CLI command:
# AWS CLI Command aws iam add-user-to-group --group-name <IAM Group Name> --user-name <User Name>Replace
with the name of the IAM group and<IAM Group Name>
with the name of the user being assigned.<User Name> - 5.
Verify the user's access by performing necessary tests and validations to confirm proper access to the resources associated with the IAM group.
Repeat these steps for each IAM group that violates the rule until every group has at least one user assigned to it.