Medium

Ensure IAM users receive permissions only through groups

Security & Compliance
AWS Well-Architected Framework
CIS
CISAWSF
SOC2
PCI-DSS
ISO 27001
Description

IAM users in AWS should receive permissions only through groups to enforce better security and manageability. This practice can ensure that users inherit permissions from groups, which are easier to manage and update than individual user permissions. By assigning permissions to groups instead of individual users, it becomes easier to add or remove user permissions as needed. It also ensures that permissions are consistent across users with similar job functions or roles. Additionally, this approach can reduce the risk of unauthorized access due to human error or rogue insiders. Therefore, it is recommended to ensure that IAM users receive permissions only through groups.

Remediation

To ensure IAM users receive permissions only through groups, you can follow these remediation steps:

  1. Identify IAM users who have permissions assigned to them directly, instead of through groups.
  2. Create new groups and add the necessary permissions to those groups.
  3. Remove the permissions that were directly assigned to the IAM users.
  4. Add the IAM users to the appropriate groups.
  5. Verify that the IAM users have the required permissions by testing their access to the resources they need.

It's important to note that IAM users should not have any permissions assigned directly to them, and should only receive permissions through groups. This ensures that access to resources is properly managed and easily auditable. Regular monitoring and review of permissions assigned to IAM users and groups should also be conducted to ensure that they are still necessary and appropriate.

Enforced Resources
IAM User
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.