Receive Permissions via IAM Groups Only

Risk Level: Medium (should be achieved)

Rule ID: IAM-071

Ensure that your Amazon IAM users are getting their access permissions only through IAM groups in order to follow the Principle of Least Privilege (POLP) and allow you to manage more efficiently user-based access to your AWS resources.

This rule can help you with the following compliance standards:

CISAWSF

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

IAM users are granted access to AWS cloud services, resources, and data through IAM policies. You can define policies for an IAM user by:
1) editing the user policy directly, 2) attaching a policy directly to a user, 3) adding the user to an IAM group and assigning the required policy to that group. To follow IAM security best practices, only the third method is recommended. Assigning access policies only through IAM groups unifies permissions management to a single, flexible layer, consistent with organizational functional roles, therefore instead of defining permissions for individual IAM users, it is recommended to create IAM groups that relate to job functions (administrators, developers, testers, etc.) and add users to these groups as needed (or switch users between groups as they receive different roles in your organization). All the users within an IAM group inherit the permissions assigned to the user group. In this way, you can make changes for everyone within a user group in just one place. By unifying permissions management, the likelihood of excessive permissions is reduced.

Audit

To determine if your IAM users receive permissions through IAM groups only, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Users.

04 Click on the name of the IAM user that you want to examine.

05 Select the Permissions tab to view the identity-based policies attached directly to the selected IAM user.

06 In the Permissions policies section, check for any managed and/or inline policies attached to the selected IAM user. If one or more identity-based policies are attached to the user, the selected Amazon IAM user does not receive access permissions through IAM groups only.

07 Repeat steps no. 4 – 6 for each IAM user that you want to examine, available within your AWS cloud account.

Using AWS CLI

01 Run list-users command (OSX/Linux/UNIX) using custom query filters to list the names of all IAM users available in your AWS account:

aws iam list-users
  --output table
  --query 'Users[*].UserName'

02 The command output should return a table with the requested IAM user identifiers:

------------------------
|      ListUsers       |
+----------------------+
|  cc-aws-ec2-manager  |
|  cc-project5-admin   |
+----------------------+

03 Run list-attached-user-policies command (OSX/Linux/UNIX) using the name of the Amazon IAM user that you want to examine as the identifier parameter and custom filtering to list the name of each managed policy attached to the selected IAM user:

aws iam list-attached-user-policies
  --user-name cc-aws-ec2-manager
  --output table
  --query 'AttachedPolicies[*].PolicyName'

04 The command output should return a table with the requested IAM managed policy name(s):

--------------------------------
|   ListAttachedUserPolicies   |
+------------------------------+
|  AmazonEC2FullAccess         |
|  CloudWatchAgentAdminPolicy  |
+------------------------------+

05 Run list-user-policies command (OSX/Linux/UNIX) using the name of the Amazon IAM user that you want to examine as the identifier parameter and custom query filters to list the name of each inline policy associated with the selected IAM user:

aws iam list-user-policies
  --user-name cc-aws-ec2-manager
  --output table
  --query 'PolicyNames'

06 The command output should return a table with the requested inline IAM policy name(s):

----------------------------------
|        ListUserPolicies        |
+--------------------------------+
|  cc-ec2-access-inline-policy   |
|  cc-ec2-manager-inline-policy  |
+--------------------------------+

07 If the selected Amazon IAM user is associated with one or more managed policies (as shown at step no. 4) and/or inline policies (as shown at step no. 6), the IAM user has one or more identity-based policies attached, therefore the selected user does not receive access permissions through IAM groups only.

08 Repeat steps no. 3 – 7 for each IAM user that you want to examine, available in your AWS cloud account.

Remediation / Resolution

To change the permissions configuration for your Amazon IAM users in order to receive access permissions through IAM groups only, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

Step 1: Remove the associated policy from your IAM user:

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Remove policy from Amazon IAM user",
	"Resources": {
		"IAMUser": {
			"Type": "AWS::IAM::User",
			"Properties": {
				"UserName": "cc-database-manager"
			}
		},
		"IAMUserPolicy": {
			"Type": "AWS::IAM::Policy",
			"Properties": {
				"PolicyName": "cc-rds-full-access",
				"PolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Action": "rds:*",
							"Resource": "*"
						}
					]
				},
				"Users": [ { "Ref": "IAMUser" } ]
			}
		}
	}
}

Step 2: Attach the policy removed from your IAM user to the new IAM group, and add your IAM user to this group:

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"IAMGroup": {
			"Type": "AWS::IAM::Group",
			"Properties": {
				"GroupName": "cc-database-admin-group"
			}
		},
		"IAMUser": {
			"Type": "AWS::IAM::User",
			"Properties": {
				"UserName": "cc-database-manager"
			}
		},
		"IAMGroupPolicy": {
			"Type": "AWS::IAM::Policy",
			"Properties": {
				"PolicyName": "cc-rds-full-access",
				"PolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Action": "rds:*",
							"Resource": "*"
						}
					]
				},
				"Groups": [
					{
						"Ref": "IAMGroup"
					}
				]
			}
		},
		"AddUserToGroup": {
			"Type": "AWS::IAM::UserToGroupAddition",
			"Properties": {
				"GroupName": {
					"Ref": "IAMGroup"
				},
				"Users": [
					{
						"Ref": "IAMUser"
					}
				]
			}
		}
	}
}

02 CloudFormation template (YAML):

Step 1: Remove the associated policy from your IAM user:

AWSTemplateFormatVersion: '2010-09-09'
	Description: Remove policy from Amazon IAM user
	Resources:
	IAMUser:
		Type: AWS::IAM::User
		Properties:
		UserName: cc-database-manager
	IAMUserPolicy:
		Type: AWS::IAM::Policy
		Properties:
		PolicyName: cc-rds-full-access
		PolicyDocument:
			Version: '2012-10-17'
			Statement: 
			- Effect: Allow
			Action: 'rds:*'
			Resource: '*'
		Users:
		- Ref: IAMUser

Step 2: Attach the policy removed from your IAM user to the new IAM group, and add your IAM user to this group:

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	IAMGroup:
		Type: AWS::IAM::Group
		Properties:
		GroupName: cc-database-admin-group
	IAMUser:
		Type: AWS::IAM::User
		Properties:
		UserName: cc-database-manager
	IAMGroupPolicy:
		Type: AWS::IAM::Policy
		Properties:
		PolicyName: cc-rds-full-access
		PolicyDocument:
			Version: '2012-10-17'
			Statement:
			- Effect: Allow
				Action: 'rds:*'
				Resource: '*'
		Groups:
			- !Ref 'IAMGroup'
	AddUserToGroup:
		Type: AWS::IAM::UserToGroupAddition
		Properties:
		GroupName: !Ref 'IAMGroup'
		Users:
			- !Ref 'IAMUser'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

Step 1: Remove the associated policy from your IAM user:

terraform destroy -target aws_iam_policy.cc-rds-full-access

Step 2: Attach the policy removed from your IAM user to the new IAM group, and add your IAM user to this group:

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}
	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_iam_user" "iam-user" {
	name = "cc-database-manager"
}

resource "aws_iam_policy" "iam-policy" {
	name = "cc-rds-full-access"
	policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Effect": "Allow",
				"Action": "rds:*",
				"Resource": "*"
			}
		]
	}
	EOF
}

resource "aws_iam_group" "iam-group" {
	name = "cc-database-admin-group"
}

resource "aws_iam_policy_attachment" "iam-group-attachment" {
	name       = "iam-group-attachment"
	groups     = [aws_iam_group.iam-group.name]
	policy_arn = aws_iam_policy.iam-policy.arn
}

resource "aws_iam_user_group_membership" "iam-user-group-membership" {
	user = aws_iam_user.iam-user.name
	groups = [
		aws_iam_group.iam-group.name
	]
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose User groups.

04 Click on the Create group button from the console top menu to initiate the IAM group setup.

05 On the Create user group setup page, perform the following operations:

Enter a unique name for your new IAM group in the User group name box.
For Attach permissions policies – Optional, select the permissions policies required to provide access to the group members. Follow the Principle of Least Privilege (POLP) and give the group members the minimal amount of access required to perform their tasks. You can configure permissions that relate to job functions such as administrators, developers, and testers, and add users to the group as needed. All the IAM users added to this group (i.e. group members) will inherit the permissions assigned to the group at this step.
Choose Create group to create your new IAM group.

06 Click on the name of the newly created Amazon IAM group.

07 Select the Users tab and choose Add users.

08 Select the IAM user(s) that you want to add to your new group. Choose Add users to save the changes.

09 In the navigation panel, under Access management, choose Users.

10 Click on the name of the user added to the new IAM group at step no. 8.

11 Select the Permissions tab to view the identity-based policies attached to the selected IAM user.

12 Perform the following actions to detach the identity-based policies from the selected user:

In the Permissions policies section, under Attached directly, detach each managed/inline policy from the selected IAM user by clicking the x (detach) icon.
Inside the Detach policy confirmation box, choose Detach to confirm the action.

13 Repeat steps no. 10 – 12 for each user assigned to the IAM group created at step no. 5.

Using AWS CLI

01 Run create-group command (OSX/Linux/UNIX) to create a new IAM group for your users:

aws iam create-group
  --group-name cc-ec2-admins-group

02 The command output should return the metadata available for the new IAM group:

[
	{
		"Path": "/",
		"CreateDate": "2021-08-11T10:00:00Z",
		"GroupId": "AAAABBBBCCCCDDDDEEEEF",
		"Arn": "arn:aws:iam::123456789012:group/cc-ec2-admins-group",
		"GroupName": "cc-ec2-admins-group"
	}
]

03 Run attach-group-policy command (OSX/Linux/UNIX) to attach the permissions policies required to provide access to the group members. Follow the Principle of Least Privilege and give the group members the minimal amount of access required to perform their tasks. You can configure permissions that relate to job functions such as administrators, developers, and accounting, and add users to the group as needed. All the group members will inherit the permissions assigned to the IAM group at this step (the command does not produce an output):

aws iam attach-group-policy
  --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess
  --group-name cc-ec2-admins-group

04 Run add-user-to-group command (OSX/Linux/UNIX) to add the specified IAM user to your new Amazon IAM group. The user will automatically inherit the IAM group policies:

aws iam add-user-to-group
  --user-name cc-aws-ec2-manager
  --group-name cc-ec2-admins-group

05 To remove any managed policies attached directly to the IAM user added to the new group at the previous step, run detach-user-policy command (OSX/Linux/UNIX) using the policy ARN as the identified parameter (the command does not produce an output):

aws iam detach-user-policy
  --user-name cc-aws-ec2-manager
  --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess

06 To remove any inline policies from the new IAM group member, run delete-user-policy command (OSX/Linux/UNIX) using the policy name as the identified parameter (the command does not produce an output):

aws iam delete-user-policy
  --user-name cc-aws-ec2-manager
  --policy-name cc-ec2-access-inline-policy

07 Repeat steps no. 5 and 6 for each user assigned to the IAM group created at step no. 1.

References

CIS Benchmark Documentation
CIS Benchmarks

AWS Command Line Interface (CLI) Documentation
iam
list-users
list-attached-user-policies
list-user-policies
create-group
attach-group-policy
add-user-to-group
detach-user-policy
delete-user-policy

Publication date Aug 18, 2021

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Receive Permissions via IAM Groups Only

Risk Level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related IAM rules