Control: 1.15 Ensure IAM Users Receive Permissions Only Through Groups
Description
IAM users are granted access to services, functions, and data through IAM policies. There are four ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy; 4) add the user to an IAM group that has an inline policy.
Only the third implementation is recommended.
Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.
Remediation
Perform the following to create an IAM group and assign a policy to it:
- Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
- In the navigation pane, click
Groups
and then clickCreate New Group
. - In the
Group Name
box, type the name of the group and then clickNext Step
. - In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click
Next Step
. - Click
Create Group
.
Perform the following to add a user to a given group:
- Sign into the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
- In the navigation pane, click
Groups
. - Select the group to add a user to
- Click
Add Users To Group
- Select the users to be added to the group
- Click
Add Users
Perform the following to remove a direct association between an user and the policy:
- Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
- In the left navigation pane, click on Users.
- For each user:
- Select the user.
- Click on the
Permissions
tab. - Expand
Permissions policies
. - Click
X
for each policy; then click Detach or Remove (depending on policy type).
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v200_1_15
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v200_1_15 --share
SQL
This control uses a named query:
iam_user_no_inline_attached_policies