Use the Conformity Knowledge Base AI to help improve your Cloud Posture

IAM User Policies

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: IAM-016

Ensure that the existing IAM policies are attached only to groups in order to efficiently assign permissions to all the users within your AWS account.

This rule can help you with the following compliance standards:

  • CISAWSF
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Defining permissions at the IAM group level instead of IAM user level will allow you manage more efficiently the user-based access to your AWS resources. With this new model you can create groups, attach the necessary policies for each group, then assign IAM users to these groups as needed. The model has few valuable advantages such as removing duplication of information and effort as you don't need to define policies for each individual user anymore or switching existing users between groups as they receive different roles in your organization.


Audit

To determine if your IAM users have any policies attached, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Users.

04 Click on the IAM user name that you want to examine.

05 On the IAM user configuration page, select Permissions tab.

06 Inside Managed Policies section, search for any access policies available. If one or more policies are currently attached e.g.

If one or more policies are currently attached

the selected user permissions configuration is not following AWS IAM best practices.

07 Repeat steps no. 4 – 6 for each IAM user that you want to examine available in your AWS account.

Using AWS CLI

01 Run list-users command (OSX/Linux/UNIX) to list all IAM users within your account:

aws iam list-users
	--query 'Users[*].UserName'

02 The command output should return an array that contains all your IAM user names:

[
    "John",
    "David",
    ...
    "Mark"
]

03 Run list-attached-user-policies command (OSX/Linux/UNIX) using the IAM user name that you want to examine as command parameter to list all access policies that are currently attached to the user:

aws iam list-attached-user-policies
	--user-name John

04 The command output should return an array that contains specific metadata (name and ARN) for each managed policy attached (if any):

{
    "AttachedPolicies": [
        {
            "PolicyName": "AmazonS3FullAccess",
            "PolicyArn": "arn:aws:iam::aws:policy/AmazonS3FullAccess"
        }
    ]
}

If the AttachedPolicies array is empty, i.e. [ ], the IAM user does not have any policies attached. If the AttachedPolicies array is not empty (as shown in the example above), the selected user has policies attached, hence its access permissions configuration is not following AWS IAM best practices.

05 Repeat steps no. 3 and 4 for each IAM user that you want to examine within your AWS account.

Remediation / Resolution

To change the access permissions model and attach policies to IAM groups instead of users, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Select the IAM user that has policies attached (see Audit section) and click on the user name to access its configuration page.

05 On the IAM user configuration page, select Permissions tab.

06 Under Managed Policies section copy each policy identifier displayed in the Policy Name column. Once the information is copied, click the Detach Policy link for each managed policy available in order to detach the policies for the selected user. These policies will be attached later at the group level.

07 In the left navigation panel, choose Groups.

08 Click the Create New Group button from the dashboard top menu to create the group that will contain the IAM user.

09 On the Set Group Name page, enter a name for the new group and click the Next Step button.

10 On the Attach Policy page, in the Filter box, search for the policy names copied at step no. 6 and select each policy returned. Once all policies are selected, click the Next Step button.

11 On the Review page, review the new group configuration then click the Create Group button.

12 Click on the newly created group name to continue the process.

13 On the group configuration page, select Users tab and click Add Users to Group button to add the necessary user.

14 On the Add Users to Group page, select the IAM user specified at step no. 4 and click the Add Users button. Once added the user name will be listed in the Users tab.

15 Click on the user added at the previous step to access its configuration page. Inside Managed Policies section, AWS should list all the policies attached to the IAM group, inherited automatically by the IAM user.

16 Repeat steps no. 4 – 15 for each IAM user with attached policies available in your AWS account.

Using AWS CLI

01 Run list-users command (OSX/Linux/UNIX) to list all IAM users within your account:

aws iam list-users
	--query 'Users[*].UserName'

02 The command output should return an array that contains all your IAM user names:

[
    "John",
    "David",
    ...
    "Mark"
]

03 Run list-attached-user-policies command (OSX/Linux/UNIX) to list all the managed policies that are currently attached to the selected IAM user:

aws iam list-attached-user-policies
	--user-name John

04 The command output should return an array that contains specific metadata (name and ARN) for each access policy attached (if any):

{
    "AttachedPolicies": [
        {
            "PolicyName": "AmazonS3FullAccess",
            "PolicyArn": "arn:aws:iam::aws:policy/AmazonS3FullAccess"
        }
    ]
}

05 To detach any managed policies for the selected IAM user run detach-user-policy command (OSX/Linux/UNIX) using the policy Amazon Resource Name (ARN) returned at the previous step (no output returned):

aws iam detach-user-policy
	--user-name John
	--policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess

06 Now run create-group command (OSX/Linux/UNIX) to create the group where the IAM user will live:

aws iam create-group
	--group-name aws-s3-data-managers

07 The command output should return the new group metadata:

{
    "Group": {
        "Path": "/",
        "CreateDate": "2016-05-19T07:47:30.981Z",
        "GroupId": "AGPAIXPLN7ULQORAUJPFK",
        "Arn": "arn:aws:iam::123456789012:group/aws-s3-data-managers",
        "GroupName": "aws-s3-data-managers"
    }
}

08 Once the new group is available, you will need to attach the IAM user policies listed at step no. 4 so these can be inherited and used again by the user when this will be added to the group. To attach the managed policies run attach-group-policy command (the command is not returning an output):

aws iam attach-group-policy
	--policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess
	--group-name aws-s3-data-managers

09 Finally, run add-user-to-group command (OSX/Linux/UNIX) to add the selected IAM user to the newly created group:

aws iam add-user-to-group
	--user-name John
	--group-name aws-s3-data-managers

The IAM user will automatically inherit the group policies and all the user permissions will be set at the group level from now on for better access security and management (following IAM best practices).

10 Repeat steps no. 3 – 9 for each IAM user with attached policies within your AWS account.

References

Publication date May 20, 2016