Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check that only safelisted IAM Users exist

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: IAM-058

Ensure that all Amazon IAM users available in your AWS account are approved and trusted in order to protect your AWS cloud resources against unapproved access and meet compliance requirements within your organization. The list with the approved IAM users must be configured within the rule settings, on the Trend Cloud One™ – Conformity account console.

This rule can help you with the following compliance standards:

  • CISAWSF
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

You can explicitly specify the users that are allowed to access your AWS cloud services and resources and mark all other users as unapproved or unauthorized. To adhere to Amazon IAM security best practices, you can either remove the untrusted IAM users or safelist them after a complete compliance review.


Audit

To identify any unapproved Amazon IAM users available in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Check that only safelisted IAM Users existconformity rule settings, and identify the list with the approved Amazon IAM users, defined for your AWS account.

02 Sign in to the AWS Management Console.

03 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

04 In the navigation panel, under Access management, choose Users.

05 Compare each IAM user listed on the Users page against the list of the approved IAM users identified at step no. 1 to determine if there are any unapproved users within your AWS account. If one or more IAM users are not are not listed in conformity rule settings, there are unapproved Amazon IAM users currently available in your AWS cloud account.

Using AWS CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access Check that only safelisted IAM Users exist conformity rule settings, and identify the list with the approved Amazon IAM users, defined for your AWS account.

02 Run list-users command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon IAM users available within your AWS account:

aws iam list-users
  --output table
  --query 'Users[*].UserName'

03 The command output should return a table with the requested IAM user identifiers (names):

-------------------------
|       ListUsers       |
+-----------------------+
|  cc-rds-manager       |
|  cc-ec2-developers    |
|  cc-platform-admin    |
|  cc-accounting-dep    |
|  cc-iam-manager       |
|  cc-sysops-admin      |
|  cc-aurora-developer  |
+-----------------------+

Compare each IAM user returned by the list-users command output against the list of the approved IAM users identified at step no. 1 to determine if there are any unapproved users within your AWS account. If one or more IAM users are not are not listed in conformity rule settings, there are unapproved Amazon IAM users currently available in your AWS cloud account.

Remediation / Resolution

To adhere to Amazon IAM security best practices and fulfill compliance requirements within your organization, you can either remove the unapproved IAM users or approve them by adding their user names in the conformity rule settings, depending on your requirements.

Case A: To remove the unapproved (unauthorized) IAM users from your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Users.

04 Select the unapproved Amazon IAM user that you want to remove and choose Delete user.

05 Inside the Delete user confirmation box, choose Yes, delete to remove the unapproved IAM user from your AWS cloud account.

06 Repeat steps no. 4 and 5 to remove any other unapproved IAM users from your AWS account.

Using AWS CLI

01 In order to delete an Amazon IAM user programmatically, you must remove first the item(s) attached to the user manually, or the deletion request fails. For more information, see this page. For example, to remove the user password for a specified IAM user, which terminates the user's ability to access the AWS cloud services through the AWS Management Console, run delete-login-profile command (OSX/Linux/UNIX) using the name of the Amazon IAM user that you want to delete as the identifier parameter (the command does not produce an output):

aws iam delete-login-profile
  --user-name cc-rds-manager

02 Once all the items associated with the selected IAM user are removed and/or detached, run delete-user command (OSX/Linux/UNIX) to remove the unapproved Amazon IAM user from your AWS cloud account (if successful, the command does not produce an output):

aws iam delete-user
  --user-name cc-rds-manager

03 Repeat steps no. 1 and 2 to remove any other unapproved IAM users from your AWS account.

Case B: If the selected unapproved Amazon IAM user is vital for your business, or you just want to mark it as compliant, add the selected user to the list of approved IAM users, defined in the rule settings, on your Trend Cloud One™ – Conformity account console.

References