1.15 Ensure IAM Users Receive Permissions Only Through Groups

Information

IAM users are granted access to services, functions, and data through IAM policies. There are four ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy; 4) add the user to an IAM group that has an inline policy.

Only the third implementation is recommended.

Rationale:

Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.

Solution

Perform the following to create an IAM group and assign a policy to it:

Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

In the navigation pane, click Groups and then click Create New Group .

In the Group Name box, type the name of the group and then click Next Step .

In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click Next Step .

Click Create Group

Perform the following to add a user to a given group:

Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

In the navigation pane, click Groups

Select the group to add a user to

Click Add Users To Group

Select the users to be added to the group

Click Add Users

Perform the following to remove a direct association between a user and policy:

Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

In the left navigation pane, click on Users

For each user:

Select the user

Click on the Permissions tab

Expand Permissions policies

Click X for each policy; then click Detach or Remove (depending on policy type)

See Also

https://workbench.cisecurity.org/benchmarks/10599

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

References: 800-53|AC-2, 800-53|AC-3, 800-53|AC-6, 800-53|AC-6(1), 800-53|AC-6(7), 800-53|AU-9(4), CCE|CCE-78912-3, CSCv7|16

Plugin: amazon_aws

Control ID: 098b8c92dc5d7ee52da0de05fbe5aebcb2d55b99e45bd6ffa771cc9af3bff043