Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Individual IAM Users

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: IAM-023

Ensure that the access to your AWS cloud services and resources is made only through individual IAM users instead of the root account user.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Using individual IAM users (with specific set of permissions) to access your AWS cloud account eliminates the risk of compromising your root account credentials. To protect your AWS root account and follow IAM security best practices, Trend Cloud One™ – Conformity strongly recommends creating IAM users for everyday work with AWS services and resources in order to avoid using the root credentials.


Audit

To determine if there are any individual IAM users created in your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Users.

04 Check the Users listing page for any IAM users created for your AWS account. If there are no IAM users listed on this page and the Amazon IAM console shows the following message: There are no IAM users., there are no IAM users created for your AWS account and the console access can be made via the root user only (not recommended).

05 Repeat steps no. 1 – 4 for each AWS cloud account that you want to examine.

Using AWS CLI

01 Run list-users command (OSX/Linux/UNIX) using custom query filters to list the names of all the IAM users available within your AWS account:

aws iam list-users
  --query 'Users[*].UserName'

02 The command output should return the requested IAM user identifiers (names):

[]

If the list-users command output returns an empty array (i.e. []), as shown in the example above, there are no Amazon IAM users created for your AWS account, therefore the console access can be made via the root user only (not recommended).

03 Repeat steps no. 1 and 2 for each AWS cloud account that you want to examine.

Remediation / Resolution

To create IAM users necessary for everyday access to your AWS account, perform the following:

Note: As example, a new IAM user with administrative privileges will be created to eliminate the need for using the root account. However, it is recommended to create individual IAM users for all the different roles within your organization such as administrators, developers, security and compliance managers, etc.

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Individual IAM User",
	"Resources": {
		"IAMUser": {
			"Type": "AWS::IAM::User",
			"Properties": {
				"UserName": "cc-ec2-instance-manager",
				"Path": "/",
				"ManagedPolicyArns": [
					"arn:aws:iam::aws:policy/AmazonEC2FullAccess"
				],
				"PermissionsBoundary": "arn:aws:iam::123456789012:policy/deny-production-access",
				"LoginProfile": {
					"Password": "[password]",
					"PasswordResetRequired": true
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Individual IAM User
	Resources:
	IAMUser:
		Type: AWS::IAM::User
		Properties:
		UserName: cc-ec2-instance-manager
		Path: /
		ManagedPolicyArns:
			- arn:aws:iam::aws:policy/AmazonEC2FullAccess
		PermissionsBoundary: arn:aws:iam::123456789012:policy/deny-production-access
		LoginProfile:
			Password: [password]
			PasswordResetRequired: true

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}
	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_iam_user" "iam-user" {
	name                 = "cc-ec2-instance-manager"
	path                 =  "/"
	permissions_boundary = "arn:aws:iam::123456789012:policy/deny-production-access"
}

resource "aws_iam_user_policy_attachment" "iam-user-attachment" {
	user       = aws_iam_user.iam-user.name
	policy_arn = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
}

resource "aws_iam_user_login_profile" "user-login-profile" {
	user                    = aws_iam_user.iam-user.name
	password                = [password]
	password_reset_required = true
}

Using AWS Console

01 Sign in to the AWS Management Console using the root account credentials.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Users.

04 Click on the Add user button from the console top menu to initiate the IAM user setup.

05 On the Add usersetup page, perform the following actions:

  1. Provide a unique name for your new IAM user in the User name box. Choose Add another user if you want to create multiple IAM users at once.
  2. For Access type, choose AWS Management Console access to enable the password-based access for the new IAM user. This will allow the user to sign-in to the AWS Management Console.
  3. For Console password, choose whether you want to use a custom password or an autogenerated one.
  4. (Optional) Select the Require password reset to require creating a new password at the next sign-in.
  5. Choose Next: Permissions to configure the IAM user permissions.
  6. For Set permissions, choose Attach existing policies directly to attach a managed policy to the new user based on your access requirements, or select Add user to group to add the new user to an existing group (if available).
  7. For Set permissions boundary, choose whether to set a permissions boundary to control the maximum permissions that the new IAM user can have.
  8. Choose Next: Tags to configure the user tags.
  9. Use the Key and Value (optional) text fields to create tags for your new user. Amazon IAM tags are key-value pairs that you can add to your user. Tags can include user information, such as an email address, or can be descriptive, such as a job title. You can use the tags to organize, track, or control access for the new IAM user.
  10. Select Next: Review to review the user configuration details, then choose Create user to create your new Amazon IAM user.
  11. Select Download .csv to download your new IAM user credentials.
  12. Choose Close to return to the Amazon IAM console.

06 In the navigation panel, choose Dashboard and copy the sign-in link listed under Sign-in URL for IAM users in this account to your clipboard.

07 Sign out from your AWS root account, paste the sign-in link copied at the previous step into your browser address bar, and sign in to the AWS Management Console with your new IAM user credentials.

Using AWS CLI

01 Run create-user command (OSX/Linux/UNIX) to create a new Amazon IAM user necessary for everyday access to your AWS cloud account:

aws iam create-user
  --user-name cc-project5-admin-user

02 The command output should return the metadata available for the new IAM user:

{
	"User": {
		"Path": "/",
		"UserName": "cc-project5-admin-user",
		"UserId": "ABCDABCDABCDABCDABCDA",
		"Arn": "arn:aws:iam::123456789012:user/cc-project5-admin-user",
		"CreateDate": "2021-04-20T10:00:00+00:00"
	}
}

03 To define and attach identity-based policies to your new IAM user based on the policy type that you want to use, perform one of the following sets of commands:

  1. To attach managed IAM policies:
    • Run attach-user-policy command (OSX/Linux/UNIX) to attach the specified managed IAM policy to the specified IAM user. For example, attach a managed IAM policy identified by the ARN arn:aws:iam::aws:policy/AmazonEC2FullAccess if you want to provide full access to Amazon EC2 via the AWS Management Console (the command does not produce an output):
      aws iam attach-user-policy
        --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess
        --user-name cc-project5-admin-user
      
  2. To define and attach inline IAM policies:
    • To define an inline policy that allows access to your Amazon EC2 resources, paste the following policy document to a JSON file named cc-iam-user-inline-policy.json:
      {
      	"Version": "2012-10-17",
      	"Statement": [
      		{
      			"Action": "ec2:*",
      			"Effect": "Allow",
      			"Resource": "*"
      		},
      		{
      			"Effect": "Allow",
      			"Action": "elasticloadbalancing:*",
      			"Resource": "*"
      		},
      		{
      			"Effect": "Allow",
      			"Action": "cloudwatch:*",
      			"Resource": "*"
      		},
      		{
      			"Effect": "Allow",
      			"Action": "autoscaling:*",
      			"Resource": "*"
      		}
      	]
      }
      
    • Run put-user-policy command (OSX/Linux/UNIX) to attach the inline policy defined at the previous step to the specified IAM user (if successful, the command does not produce an output):
      aws iam put-user-policy
        --user-name cc-project5-admin-user
        --policy-name cc-ec2-full-access
        --policy-document file://cc-iam-user-inline-policy.json
      

04 Run create-login-profile command (OSX/Linux/UNIX) to assign a password for your new Amazon IAM user. Replace <iam-user-password> with your own password:

aws iam create-login-profile
  --user-name cc-project5-admin-user
  --password <iam-user-password>
  --no-password-reset-required

05 The command output should return the Amazon IAM user login profile metadata:

{
	"LoginProfile": {
		"UserName": "cc-project5-admin-user",
		"CreateDate": "2021-04-20T10:00:00+00:00",
		"PasswordResetRequired": false
	}
}

References

Publication date May 20, 2016