Ensure that your Amazon IAM users are either being used for API access or for management console access in order to reduce the risk of unauthorized access in case the user credentials (access keys or passwords) are compromised.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Segregating the IAM users within your account by controlling their privileges will help you maintain a secure AWS cloud environment. Trend Cloud One™ – Conformity strongly recommends that you follow the Principle of Least Privilege and grant your IAM users the minimum amount of privileges necessary to perform the assigned task. Application users should use only access keys to programmatically access data in AWS cloud and administrators who need console access should use only passwords to manage AWS resources.
Audit
To determine if your IAM users have both access keys and passwords assigned for authentication, perform the following operations:
Remediation / Resolution
References
- AWS Documentation
- AWS Identity and Access Management (IAM) FAQs
- Security best practices in IAM
- Manage IAM users
- AWS Command Line Interface (CLI) Documentation
- iam
- list-users
- list-access-keys
- get-login-profile
- delete-access-key
- delete-login-profile