Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Unnecessary IAM Users

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

To adhere to cloud security best practices, it is strongly recommended to use temporary credentials for authentication instead of long-term credentials. This approach helps minimize risks like accidental exposure, sharing, or theft of credentials. AWS recommends that human users access AWS cloud resources via IAM Identity Center using temporary credentials, rather than relying on IAM users with long-term credentials. For streamlined access management, you should use IAM Identity Center to manage user access and permissions across your AWS accounts. IAM Identity Center automatically issues short-term credentials to users for everyday cloud access. You can integrate Active Directory, an external identity provider (IdP), or the IAM Identity Center directory as your identity source to manage users and groups and assign AWS access. While IAM typically grants long-term credentials to IAM users, IAM roles provide temporary credentials. Federated users and those in IAM Identity Center assume IAM roles when signing in, receiving temporary credentials. As a recommended practice, human users, also known as human identities — including administrators, developers, operators, and application consumers — should always access AWS cloud using temporary credentials. Federated access can be granted by having users assume roles via an identity provider, ensuring they receive temporary credentials. For centralized management, AWS suggests using IAM Identity Center to control access and permissions. You can either manage identities directly within IAM Identity Center or manage permissions for identities stored in an external identity provider. IAM Identity Center simplifies the sign-in process for human users and allows centralized control over resource access. Additionally, it supports Multi-Factor Authentication (MFA) to enhance account security.

Security

When managing access in AWS cloud, using IAM users is generally not ideal. While IAM users were historically used for long-term access in AWS, they're becoming increasingly outdated and should generally be avoided. There are several key reasons to avoid using IAM users in most cases. First, IAM users are tied to individual accounts, which makes them difficult to scale as your organization expands. Managing security and permissions for a large number of IAM users can quickly become tedious. Additionally, IAM users lack centralized visibility and auditing features available with other AWS identity management tools, making it harder to maintain security and comply with regulations. Furthermore, implementing security measures such as Multi-Factor Authentication (MFA), enforcing password policies, and separating roles is far more straightforward with modern, scalable identity management solutions. Instead of relying on IAM users, it's better to use more robust alternatives like AWS Organizations with IAM Identity Center or federated identities from external providers (IdPs). These options provide better control, security, and operational efficiency as your AWS environment grows. AWS recommends using IAM Identity Center users with temporary credentials rather than IAM users with long-term credentials for day-to-day cloud access. If you still need IAM users for programmatic access with long-term credentials, it's crucial to follow best practices by manually rotating access keys regularly, as outlined in this guide.


Audit

To determine if there are any IAM users available within your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Identity and Access Management (IAM) console available at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, under Access management, choose Users.

04 Check the Users listing section for any IAM users created for your AWS cloud account. If one or more IAM users are listed in this section, these users should be removed in order to enforce human users to use temporary credentials for AWS cloud access.

05 Repeat steps no. 1 – 4 for each AWS cloud account that you want to examine.

Using AWS CLI

01 Run list-users command (OSX/Linux/UNIX) with custom output filters to list the names of all the IAM users available within your AWS cloud account:

aws iam list-users
  --query 'Users[*].UserName'

02 The command output should return an array with the requested IAM user identifiers (names):

[
	"tm-production-stack-admin",
	"tm-project5-api-developer",
	"tm-bedrock-studio-developer",
	"tm-dynamodb-data-manager"
]

If the list-users command output returns one or more IAM users, as shown in the example above, these users should be removed in order to enforce human users to use temporary credentials for AWS cloud access.

03 Repeat steps no. 1 and 2 for each AWS cloud account that you want to examine.

Remediation / Resolution

To ensure that human users access AWS cloud using temporary credentials, delete existing IAM users and configure user access with IAM Identity Center. Perform the following operations to remove IAM users and set up IAM Identity Center:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Identity and Access Management (IAM) console available at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, under Access management, choose Users.

04 Select the unnecessary Amazon IAM user that you want to remove and choose Delete.

05 Inside the Delete \? confirmation box, enter the user name in the required text input field, then choose Delete user to remove the selected IAM user from your AWS cloud account. If the AWS Management Console returns an error message instead of removing the user, you must delete first the items attached to the IAM user manually.

06 Repeat steps no. 4 and 5 to remove each unnecessary IAM user from your AWS cloud account.

07 To enforce human users to use temporary credentials to access your AWS account, you must configure user access with IAM Identity Center. To get started, navigate to Identity and Access Management (IAM) console at https://console.aws.amazon.com/singlesignon/. If IAM Identity Center is not enabled, choose Enable, and select Enable with AWS Organizations from Enable IAM Identity Center. Choose Continue to enable the service. IAM Identity Center is initially set up with a default identity source. If your organization uses a different identity provider like AWS Directory Service, Microsoft Entra ID, or Okta, you can integrate that provider with IAM Identity Center instead of relying on the default directory. As an example, this guide will use the default directory as the identity source and set up user access.

08 In the left navigation panel, under Dashboard, choose Users.

09 Choose Add user and perform the following actions:

  1. For Step 1 Specify user details, provide the following information:
    1. For Username, enter a unique name for your new user.
    2. For Password, choose between sending an email with the password setup instructions (recommended option) or generating a one-time password. If you are creating an administrative user and you choose to send an email, make sure that you specify an email address that you can access.
    3. For Email address, enter an email address for the user where you can receive the email. Each user must have a unique email address.
    4. Enter again your email address for Confirm email address.
    5. For First name, enter the first name for the user.
    6. For Last name, enter the last name for the user.
    7. Display name represents the full name of the workforce user (first and last name). If you want to change the display name, you can enter a different name at this step. The display name is visible in the Sign-In Portal and users list.
    8. (Optional) For Contact methods - optional, enter a phone number.
    9. (Optional) For Job-related information - optional, provide any job-related details for the human user.
    10. (Optional) For Address - optional, provide the physical address of the human user.
    11. (Optional) For Preferences - optional, provide preference information such as preferred language and timezone.
    12. (Optional) For Additional attributes - optional, you can specify values for additional attributes such as the user's Microsoft 365 immutable ID to help provide the user with single sign-on access to certain applications.
    13. Choose Next to continue the setup process.
  2. (Optional) For Step 2 Add user to groups, perform the following actions to add the user as member of a group:
    1. Choose Create group to create a group to assign permissions to instead of giving them directly to the user.
    2. For Group name, enter a name for the new group. We recommend a group name that identifies the role of the group.
    3. (Optional) For Description - optional, you can provide information about the permissions assigned to this group.
    4. Choose Create group to create the new group and close the browser tab to return to the Add user setup page.
    5. Back to the Step 2 Add user to groups page, choose the Refresh button (circular arrow icon), and select the checkbox available next to the group name to add your user to the new group.
    6. Choose Next to continue the setup.
  3. For Step 3 Review and add user, review the user details and group association information, then choose Add user to create your new user.
  4. The new user will receive an email with an Accept invitation link to set up a password and instructions to connect to the AWS access portal. The link will be valid for up to 7 days.

10 You can grant now this user permissions to accounts or applications so that they can access their assigned AWS accounts and cloud applications when they sign in to the AWS access portal. In the left navigation panel, under Multi-account permissions, choose AWS accounts.

11 On the AWS accounts page, the Organizational structure displays your organization with your accounts underneath it in the hierarchy. Select the checkbox available next to your management account, choose Assign users or groups, and perform the following actions:

  1. For Step 1 Select users and groups, choose the Groups tab, select the group created at step no. 9 from the Groups list, and choose Next to continue the setup process.
  2. For Step 2 Select permission sets, choose Create permission set, and select the permission set type. You can choose between a predefined permission set such as ReadOnlyAccess, DatabaseAdministrator, and DataScientist, and a custom permission set that can use AWS-managed policies, customer-managed policies, inline policies, and permissions boundaries. As an example, this guide will use a predefined permission set named DatabaseAdministrator, which grants full access permissions to AWS services and actions required to set up and configure database services in AWS cloud. For Permission set type, choose Predefined permission set. For Policy for predefined permission set, select DatabaseAdministrator. Choose Next to continue the setup. For Permission set details, configure the session duration (default duration is 1 hour), and choose Next to continue.
  3. For Step 3 Review and create, review the permission set details, then choose Create to create your new permission set.

12 Navigate back to the AWS accounts page, select the checkbox available next to your management account, choose Assign users or groups, and perform the following actions:

  1. For Step 1 Select users and groups, choose the Groups tab, select the group created at step no. 9 from the Groups list, and choose Next to continue the setup process.
  2. For Step 2 Select permission sets, select the permission set type created at step no. 11, and choose Next to continue.
  3. For Step 3 Review and submit, review the group assignments, and choose Submit to apply the configuration. Once the process is completed, the following message is displayed: We reprovisioned your AWS account successfully and applied the updated permission set to the account.

Using AWS CLI

01 Run delete-user command (OSX/Linux/UNIX) to remove the unnecessary Amazon IAM user from your AWS cloud account. If successful, the delete-user command does not produce an output. If the command output returns a DeleteConflict error message such as An error occurred (DeleteConflict) when calling the DeleteUser operation: Cannot delete entity, must detach all policies first., you must delete first the items attached to the user manually. To delete the items attached to the selected IAM user, use the AWS CLI commands listed in this section, according to your use case:

aws iam delete-user
  --user-name "tm-production-stack-admin"

02 Repeat step no. 1 to remove each unnecessary IAM user from your AWS cloud account.

03 To enforce human users to use temporary credentials to access your AWS account, you must configure user access with IAM Identity Center. To get the Amazon Resource Name (ARN) of your IAM Identity Center instance and the Identity Store ID, run list-instances command (OSX/Linux/UNIX). This information is required later in the process when you create and assign permission sets to AWS accounts and users/groups:

aws sso-admin list-instances
  --query 'Instances'

04 The command output should return the requested IAM Identity Center information:

[
	{
		"CreatedDate": "2024-09-10T12:08:58.463000+00:00",
		"IdentityStoreId": "d-abc123abcd",
		"InstanceArn": "arn:aws:sso:::instance/ssoins-aaaabbbbccccdddd",
		"OwnerAccountId": "123456789012",
		"Status": "ACTIVE"
	}
]

05 Run create-user command (OSX/Linux/UNIX) to create a new user using the specified Identity Store ID, returned at the previous step:

aws identitystore create-user
  --identity-store-id d-abc123abcd
  --user-name Project5DBAdmin
  --name '{"Formatted":"DBA","FamilyName":"Doe","GivenName":"John"}'
  --display-name DatabaseAdmin
  --emails '[{"Value":"user@domain.com","Type":"work","Primary":true}]'

06 The command output should return the identifier (ID) of the newly created user in the Identity Store:

{
	"UserId": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"IdentityStoreId": "d-abc123abcd"
}

07 Run create-group command (OSX/Linux/UNIX) to create a group for your user, using the specified Identity Store ID. This is required to assign permissions to instead of giving them directly to the user:

aws identitystore create-group
  --identity-store-id d-abc123abcd
  --display-name DBAdministrators

08 The command output should return the identifier (ID) of the newly created group in the Identity Store:

{
	"GroupId": "1234abcd-1234-abcd-1234-abcd1234abcd",
	"IdentityStoreId": "d-abc123abcd"
}

09 Run create-group-membership command (OSX/Linux/UNIX) to add your user to the newly created group:

aws identitystore create-group-membership
  --identity-store-id d-abc123abcd
  --group-id 1234abcd-1234-abcd-1234-abcd1234abcd
  --member-id '{"UserId": "abcd1234-abcd-1234-abcd-1234abcd1234"}'

10 The command output should return the identifier (ID) of the new group membership:

{
	"MembershipId": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"IdentityStoreId": "d-abc123abcd"
}

11 Run create-permission-set command (OSX/Linux/UNIX) to create a new permission set for your IAM Identity Center instance:

aws sso-admin create-permission-set
  --instance-arn arn:aws:sso:::instance/ssoins-aaaabbbbccccdddd
  --name DBAdminPermissionSet
  --description "Permission set providing database access in AWS cloud"

12 The command output should return the configuration information available for the new permission set:

{
	"PermissionSet": {
		"CreatedDate": "2024-09-10T05:22:22.344000+00:00",
		"Description": "Permission set providing database access in AWS cloud",
		"Name": "DBAdminPermissionSet",
		"PermissionSetArn": "arn:aws:sso:::permissionSet/ssoins-aaaabbbbccccdddd/ps-0abcd1234abcd123",
		"SessionDuration": "PT1H"
	}
}

13 Run attach-managed-policy-to-permission-set command (OSX/Linux/UNIX) to attach an AWS-managed policy to your newly created permission set. As an example, this guide will use a predefined, AWS-managed policy named DatabaseAdministrator, which grants full access permissions to AWS services and actions required to set up and configure database services in AWS cloud (the command does not produce an output):

aws sso-admin attach-managed-policy-to-permission-set
  --instance-arn arn:aws:sso:::instance/ssoins-aaaabbbbccccdddd
  --permission-set-arn arn:aws:sso:::permissionSet/ssoins-aaaabbbbccccdddd/ps-0abcd1234abcd123
  --managed-policy-arn arn:aws:iam::aws:policy/job-function/DatabaseAdministrator

14 Run create-account-assignment command (OSX/Linux/UNIX) to grant your users group access to your Amazon Web Services (AWS) account, utilizing the permission set created earlier in the Remediation process:

aws sso-admin create-account-assignment
  --instance-arn arn:aws:sso:::instance/ssoins-aaaabbbbccccdddd
  --permission-set-arn arn:aws:sso:::permissionSet/ssoins-aaaabbbbccccdddd/ps-0abcd1234abcd123
  --principal-id 1234abcd-1234-abcd-1234-abcd1234abcd
  --principal-type GROUP
  --target-id 123456789012
  --target-type AWS_ACCOUNT

15 The command output should return the configuration information available for your AWS account assignment:

{
	"AccountAssignmentCreationStatus": {
		"PermissionSetArn": "arn:aws:sso:::permissionSet/ssoins-aaaabbbbccccdddd/ps-0abcd1234abcd123",
		"PrincipalId": "1234abcd-1234-abcd-1234-abcd1234abcd",
		"PrincipalType": "GROUP",
		"RequestId": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"Status": "IN_PROGRESS",
		"TargetId": "123456789012",
		"TargetType": "AWS_ACCOUNT"
	}
}

References

Publication date Sep 19, 2024