Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1598Benchmarks
674Queries
9Variables
GitHub

Control: 1.15 Ensure IAM Users Receive Permissions Only Through Groups

Description

IAM users are granted access to services, functions, and data through IAM policies. There are four ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy; 4) add the user to an IAM group that has an inline policy.

Only the third implementation is recommended.

Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.

Remediation

Perform the following to create an IAM group and assign a policy to it:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, click Groups and then click Create New Group.
  3. In the Group Name box, type the name of the group and then click Next Step.
  4. In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click Next Step.
  5. Click Create Group.

Perform the following to add a user to a given group:

  1. Sign into the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, click Groups.
  3. Select the group to add a user to
  4. Click Add Users To Group
  5. Select the users to be added to the group
  6. Click Add Users

Perform the following to remove a direct association between an user and the policy:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the left navigation pane, click on Users.
  3. For each user:
  • Select the user.
  • Click on the Permissions tab.
  • Expand Permissions policies.
  • Click X for each policy; then click Detach or Remove (depending on policy type).

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v200_1_15

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v200_1_15 --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when inline_policies is null and attached_policy_arns is null then 'ok'
    else 'alarm'
  end status,
  name || ' has ' || coalesce(jsonb_array_length(inline_policies),0) || ' inline and ' ||
    coalesce(jsonb_array_length(attached_policy_arns),0) || ' directly attached policies.' as reason
  
  , account_id
from
  aws_iam_user;

Tags

category = Compliance
cis = true
cis_item_id = 1.15
cis_level = 1
cis_section_id = 1
cis_type = automated
cis_version = v2.0.0
plugin = aws
service = AWS/IAM