Ensure that the access to your AWS cloud services and resources is made only through individual IAM users instead of the root account user.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Using individual IAM users (with specific set of permissions) to access your AWS cloud account eliminates the risk of compromising your root account credentials. To protect your AWS root account and follow IAM security best practices, Trend Cloud One™ – Conformity strongly recommends creating IAM users for everyday work with AWS services and resources in order to avoid using the root credentials.
Audit
To determine if there are any individual IAM users created in your AWS cloud account, perform the following operations:
Remediation / Resolution
To create IAM users necessary for everyday access to your AWS account, perform the following:
Note: As example, a new IAM user with administrative privileges will be created to eliminate the need for using the root account. However, it is recommended to create individual IAM users for all the different roles within your organization such as administrators, developers, security and compliance managers, etc.References
- AWS Documentation
- AWS Identity and Access Management FAQs
- IAM Best Practices
- AWS Security Audit Guidelines
- Managing IAM Users
- Creating an IAM User in Your AWS Account
- AWS Command Line Interface (CLI) Documentation
- iam
- list-users
- create-user
- attach-user-policy
- put-user-policy
- create-login-profile
- AWS Blog(s)
- Adhere to IAM Best Practices in 2016