Use the Conformity Knowledge Base AI to help improve your Cloud Posture

IAM Configuration Changes

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable risk)
Rule ID: IAM-054

Cloud Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected configuration changes made at the Identity and Access Management (IAM) service level, within your AWS account.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Real-Time Threat Monitoring.

Security

Amazon Identity and Access Management (IAM) is a web service that helps you securely control access to your AWS services and resources. With AWS IAM you can centrally manage users and groups, security credentials (i.e. access keys) and permissions that control which resources users and applications can access in your AWS account. Essentially, the IAM service is used to control who is authenticated (signed in) and authorized (has permissions) to use AWS cloud resources.


Cloud Conformity RTMA can detect any IAM configuration change made within your AWS account such as creating and deleting IAM user and roles, updating the password policy defined for your AWS account, attaching and detaching access policies to and from IAM entities, etc. Specifically, the activity detected by the current RTMA rule could be any user (root/IAM) request initiated through AWS Management Console or any AWS API request initiated programmatically using AWS CLI or SDKs, that executes the following Identity and Access Management (IAM) service actions:

"AddUserToGroup" - Adds the specified IAM user to the specified group.

"AttachGroupPolicy" - Attaches the specified managed policy to the specified IAM group.

"AttachRolePolicy" - Attaches the specified managed policy to the specified IAM role.

"AttachUserPolicy" - Attaches the specified managed policy to the specified IAM user.

"ChangePassword" - Changes the password of the IAM user that is requesting this operation.

"CreateAccessKey" - Creates a new AWS secret access key and corresponding AWS access key ID for the specified IAM user.

"CreateAccountAlias" - Creates an alias for your Amazon Web Services account.

"CreateGroup" - Creates a new AWS IAM group.

"CreateLoginProfile" - Creates a password for the specified IAM user, allowing the user to access AWS services through the AWS Management Console.

"CreateOpenIDConnectProvider" - Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC).

"CreatePolicy" - Creates a new managed policy for your AWS account.

"CreatePolicyVersion" - Creates a new version of the specified managed policy.

"CreateRole" - Creates a new IAM role for your AWS account.

"CreateSAMLProvider" - Creates an IAM resource that describes an identity provider (IdP) that supports SAML version 2.0.

"CreateServiceLinkedRole" - Creates an IAM role that is linked to a specific AWS service.

"CreateServiceSpecificCredential" - Generates a set of credentials (i.e. a user name and a password) that can be used to access the AWS service specified in the request.

"CreateUser" - Creates a new IAM user for your AWS account.

"CreateVirtualMFADevice" - Creates a new virtual MFA device for your AWS account.

"DeactivateMFADevice" - Deactivates the specified MFA device and removes it from its associated IAM user.

"DeleteAccessKey" - Deletes the access key pair associated with the specified IAM user.

"DeleteAccountAlias" - Deletes the specified AWS account alias.

"DeleteAccountPasswordPolicy" - Deletes the password policy for your AWS account.

"DeleteGroup" - Deletes the specified AWS IAM group.

"DeleteGroupPolicy" - Deletes the specified inline policy that is embedded within the specified IAM group.

"DeleteLoginProfile" - Deletes the password for the specified IAM user, which terminates the IAM user's ability to access AWS services using the AWS Management Console.

"DeleteOpenIDConnectProvider" - Deletes an OpenID Connect identity provider (IdP) resource object in AWS IAM.

"DeletePolicy" - Deletes the specified managed access policy.

"DeletePolicyVersion" - Deletes the specified version from the specified managed access policy.

"DeleteRole" - Deletes the specified IAM role.

"DeleteRolePermissionsBoundary" - Deletes the permissions boundary for the specified IAM role.

"DeleteRolePolicy" - Deletes the specified inline policy that is embedded within the specified IAM role.

"DeleteSAMLProvider" - Deletes a SAML provider resource in AWS IAM.

"DeleteServerCertificate" - Deletes the specified server certificate.

"DeleteServiceLinkedRole" - Submits a service-linked role deletion request and returns a DeletionTaskId ID, which you can use to check the status of the deletion request.

"DeleteServiceSpecificCredential" - Deletes the specified service-specific credential.

"DeleteSigningCertificate" - Deletes a signing certificate associated with the specified IAM user.

"DeleteSSHPublicKey" - Deletes the specified SSH public key.

"DeleteUser" - Deletes the specified AWS IAM user.

"DeleteUserPermissionsBoundary" - Deletes the permissions boundary for the specified IAM user.

"DeleteUserPolicy" - Deletes the specified inline policy that is embedded within the specified IAM user.

"DeleteVirtualMFADevice" - Deletes a virtual Multi-factor authentication (MFA) device.

"DetachGroupPolicy" - Removes the specified managed policy from the specified IAM group.

"DetachRolePolicy" - Removes the specified managed access policy from the specified role.

"DetachUserPolicy" - Removes the specified managed policy from the specified user.

"EnableMFADevice" - Enables the specified MFA device and associates it with the specified IAM user.

"PutGroupPolicy" - Adds or updates an inline policy document that is embedded within the specified IAM group.

"PutRolePermissionsBoundary" - Adds or updates the policy that is specified as the IAM role's permissions boundary.

"PutRolePolicy" - Adds or updates an inline policy document that is embedded within the specified IAM role.

"PutUserPermissionsBoundary" - Adds or updates the policy that is specified as the IAM user's permissions boundary.

"PutUserPolicy" - Adds or updates an inline policy document that is embedded within the specified IAM user.

"RemoveClientIDFromOpenIDConnectProvider" - Removes the specified client ID from the list of client IDs registered for the specified IAM OpenID Connect (OIDC) provider resource object.

"RemoveUserFromGroup" - Removes the specified IAM user from the specified group.

"ResetServiceSpecificCredential" - Resets the password for an AWS service-specific credential.

"SetDefaultPolicyVersion" - Sets the specified version of the specified policy as the policy's default version.

"UpdateAccessKey" - Changes the status of the specified access key from Active to Inactive, or vice versa.

"UpdateAccountPasswordPolicy" - Updates the password policy settings for your AWS account.

"UpdateAssumeRolePolicy" - Updates the policy that allows an IAM entity permission to assume an IAM role.

"UpdateGroup" - Updates the name and/or the path of the specified IAM group.

"UpdateLoginProfile" - Changes the password for the specified AWS IAM user.

"UpdateOpenIDConnectProviderThumbprint" - Replaces the existing set of server certificate thumbprints associated with an OpenID Connect (OIDC) provider resource object with a new set of thumbprints.

"UpdateRole" - Updates the description or maximum session duration setting of an IAM role.

"UpdateSAMLProvider" - Updates the metadata document for an existing SAML provider resource object.

"UpdateServerCertificate" - Updates the name and/or the path of the specified server certificate stored within AWS IAM.

"UpdateServiceSpecificCredential" - Sets the status of a service-specific credential to Active or Inactive.

"UpdateSigningCertificate" - Changes the status of the specified user signing certificate from Active to Disabled, or vice versa.

"UpdateSSHPublicKey" - Sets the status of an IAM user's SSH public key to Active or Inactive.

"UpdateUser" - Updates the name and/or the path of the specified AWS IAM user.

"UploadServerCertificate" - Uploads a server certificate entity for your AWS account.

"UploadSigningCertificate" - Uploads an X.509 signing certificate and associates it with the specified AWS IAM user.

"UploadSSHPublicKey" - Uploads an SSH public key and associates it with the specified AWS IAM user.

Amazon IAM enables you to control which users have permission to access various services and resources within your Amazon Web Services account and the type of actions they can perform. Therefore, Cloud Conformity strongly recommends that you avoid as much as possible to provide your non-privileged IAM users the permission to change the Identity and Access Management (IAM) service configuration.

The communication channels required for sending RTMA notifications can be configured in your Cloud Conformity account. The list of supported communication channels that you can use to receive configuration change alerts for Amazon IAM service are SMS, Email, PagerDuty, Slack, ServiceNow and Zendesk.

Remediation / Resolution

Because AWS Identity and Access Management (IAM) is the main point of access control for resources and services within your AWS account, monitoring IAM configuration changes is vital for keeping your AWS cloud environment secure. As a security best practice, you need to be aware of any configuration change made at the Amazon IAM service level. Using Cloud Conformity RTMA to monitor IAM configuration changes can help you prevent any accidental or intentional modifications that may lead to severe security breaches, data leaks, data loss or unexpected charges on your AWS bill.

References

Publication date Dec 16, 2018