Control: 1.15 Ensure IAM Users Receive Permissions Only Through Groups
Description
IAM users are granted access to services, functions, and data through IAM policies. There are multiple ways to define policies for an user, such as:
- Add the user to an IAM group that has an attached policy.
- Attach an inline policy directly to an user.
- Attach a managed policy directly to an user.
Only the first implementation is recommended.
Assigning IAM policy only through groups simplifies permissions management to a single, flexible layer consistent with organizational functional roles. By simplifying permissions management, the likelihood of excessive permissions is reduced.
Remediation
From Console
Perform the following to create an IAM group and assign a list of policies to it:
- Sign into the AWS console and open the IAM Dashboard.
- In the left navigation pane, click User groups and then click Create group.
- In the
User group name
box, type the name of the group. - In the list of policies, select the
check box
for each policy that you want to apply to all members of the group (You can attach up to 10 policies to this user group). - Click Create group. Group is created with the list of permissions.
Perform the following to add a user to a given group:
- Sign into the AWS console and open the IAM Dashboard.
- In the left navigation pane, click User groups.
- Select the
Group name
to add an user to. - Click
Add users
to group. - Select the users to be added to the group.
- Click Add users. Users are added to the group.
Perform the following to remove a direct association between an user and the policy:
- Sign into the AWS console and open the IAM Dashboard.
- In the left navigation pane, click on Users.
- For each user:
- Select the user, it will take you to
Permissions
tab. - Expand Permissions policies.
- Click
X
for each policy and then click Remove (depending on policy type).
- Select the user, it will take you to
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v130_1_15
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v130_1_15 --share
SQL
This control uses a named query:
iam_user_no_inline_attached_policies