Control: 2.14 Ensure IAM users receive permissions only through groups
Description
IAM users are granted access to services, functions, and data through IAM policies. There are four ways to define policies for a user: 1) Edit the user policy directly, also known as an inline or user policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy; 4) add the user to an IAM group that has an inline policy.
Only the third implementation is recommended.
Remediation
From Console:
Perform the following to create an IAM group and assign a policy to it:
- Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
- In the navigation pane, click
Groups
and then clickCreate New Group.
- In the
Group Name
box, type the name of the group and then clickNext Step
. - In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click
Next Step
. - Click
Create Group
.
Perform the following to add a user to a given group:
- Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
- In the navigation pane, click
Groups
. - Select the group to add a user to.
- Click
Add Users To Group.
- Select the users to be added to the group.
- Click
Add Users
.
Perform the following to remove a direct association between a user and policy:
- Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
- In the left navigation pane, click on Users.
- For each user:
- Select the user
- Click on the Permissions tab
- Expand Permissions policies Click X for each policy; then click Detach or Remove (depending on policy type)
From Command Line:
- Create the IAM user group:
aws iam create-group --group-name <new_IAM_group_name>
- Attach the policy to the IAM user group:
aws iam attach-group-policy --group-name <new_IAM_group_name> --policy-arn <IAM_policy_ARN>
- Perform the following to add a user to a given group:
aws iam add-user-to-group --user-name <IAM_user_name> --group-name <new_IAM_group_name>
- Perform the following to remove a direct association between a user and policy:
aws iam detach-user-policy --user-name <IAM_user_name> --policy-arn <IAM_policy_ARN>
- Delete an inline policy from an IAM user:
aws iam delete-user-policy --user-name <IAM_user_name> --policy-name <IAM_policy_name>
Default Value:
By default, AWS allows IAM policies to be attached directly to users, groups, or roles. There is no restriction preventing direct user policies unless explicitly enforced by organizational standards.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v600_2_14
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v600_2_14 --share
SQL
This control uses a named query:
select arn as resource, case when inline_policies is null and attached_policy_arns is null then 'ok' else 'alarm' end status, name || ' has ' || coalesce(jsonb_array_length(inline_policies),0) || ' inline and ' || coalesce(jsonb_array_length(attached_policy_arns),0) || ' directly attached policies.' as reason , account_idfrom aws_iam_user;