Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for IAM User Group Membership

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: IAM-070

Ensure that your Amazon Identity and Access Management (IAM) users are members of at least one IAM group in order to adhere to IAM security best practices.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

As a cloud security best practice, it is strongly recommended to avoid assigning identity-based policies to individual IAM users or defining inline policies when creating an IAM user. Instead, you can assign policies to a group of IAM users or write inline policies when creating an IAM group. All the IAM users within your group will inherit the permissions assigned to the group. This streamlines the process of making changes to multiple user permissions and decreases the risk of accidentally giving individual IAM users excessive permissions. As people move around in your organization, you can simply change what IAM group their IAM user belongs to.


Audit

To determine if all IAM users available in your AWS cloud account have group memberships, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, under Access management, select Users.

04 Click on the name (link) of the IAM user that you want to examine.

05 On the Summary page, select the Groups tab to view the groups that the selected IAM user belongs to. If there are no groups listed on the Groups panel, the selected Identity and Access Management (IAM) user is not a member of at least one IAM group.

06 Repeat step no. 4 and 5 to verify group membership for other IAM users available in your AWS cloud account.

Using AWS CLI

01 Run list-users command (OSX/Linux/UNIX) with custom query filters to list the names of all Amazon IAM users available within your AWS account:

aws iam list-users
	--output table
	--query 'Users[*].UserName'

02 The command output should return a table with the requested IAM user identifiers:

---------------------------
|        ListUsers        |
+-------------------------+
|  cc-project5-ec2-user   |
|  cc-project5-rds-user   |
|  cc-cloud-app-developer |
|  cc-cloud-app-manager   |
+-------------------------+

03 Run list-groups-for-user command (OSX/Linux/UNIX) using the name of the Amazon IAM user that you want to examine as identifier parameter and custom query filters to list the IAM group(s) that the selected IAM user belongs to:

aws iam list-groups-for-user
	--user-name cc-project5-ec2-user
	--query 'Groups[*].GroupName'

04 The command output should return the name of each IAM group associated with the selected user:

[]

If the list-groups-for-user command output returns an empty array (i.e. []), as shown in the example above, the selected Identity and Access Management (IAM) user does not belong to an IAM group.

05 Repeat step no. 3 and 4 to determine the group membership for other IAM users created within your AWS cloud account.

Remediation / Resolution

To assign orphaned Identity and Access Management (IAM) users to IAM groups, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, under Access management, select Users.

04 Click on the name (link) of the IAM user that you want to reconfigure.

05 On the Summary page, select the Groups tab.

06 Select Add user to groups and choose the group that the selected IAM user will be added to.

07 Choose Add to Groups to assign the IAM user to the selected group. The IAM user will inherit the permissions assigned to the selected IAM group.

08 Trend Cloud One™ – Conformity strongly recommends using IAM groups to assign permissions to IAM users. To define permissions at the IAM group level instead of user level, follow the steps outlined in this conformity rule.

09 Repeat steps no. 4 – 8 to configure the group membership for other IAM users available in your AWS cloud account.

Using AWS CLI

01 Run add-user-to-group command (OSX/Linux/UNIX) using the name of the Amazon IAM user that you want to reconfigure as identifier parameter (see Audit section part II to identify the right identity), to add the selected IAM user to the specified IAM group. Once added, the user will inherit the permissions assigned to the IAM group. The following command request example adds a user named "cc-project5-ec2-user" to a group named "cc-project5-user-group" (the command does not produce an output):

aws iam add-user-to-group
	--user-name cc-project5-ec2-user
	--group-name cc-project5-user-group

02 Trend Cloud One™ – Conformity recommends using IAM groups to assign permissions to IAM users. To define permissions at the IAM group level instead of user level, follow the steps outlined in this conformity rule.

03 Repeat step no. 1 and 2 to configure the group membership for other IAM users created within your AWS cloud account.

References

Publication date Dec 30, 2020