Ensure that your Amazon Identity and Access Management (IAM) users are members of at least one IAM group in order to adhere to IAM security best practices.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
As a cloud security best practice, it is strongly recommended to avoid assigning identity-based policies to individual IAM users or defining inline policies when creating an IAM user. Instead, you can assign policies to a group of IAM users or write inline policies when creating an IAM group. All the IAM users within your group will inherit the permissions assigned to the group. This streamlines the process of making changes to multiple user permissions and decreases the risk of accidentally giving individual IAM users excessive permissions. As people move around in your organization, you can simply change what IAM group their IAM user belongs to.
Audit
To determine if all IAM users available in your AWS cloud account have group memberships, perform the following actions:
Remediation / Resolution
To assign orphaned Identity and Access Management (IAM) users to IAM groups, perform the following actions:
References
- AWS Documentation
- Security best practices in IAM
- Managing IAM users
- Adding and removing users in an IAM group
- AWS Command Line Interface (CLI) Documentation
- iam
- list-users
- list-groups-for-user
- add-user-to-group