Pipeline: 1.15 Ensure IAM Users Receive Permissions Only Through Groups
Description
IAM users are granted access to services, functions, and data through IAM policies. There are four ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy; 4) add the user to an IAM group that has an inline policy.
Only the third implementation is recommended.
Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.
Remediation
Perform the following to create an IAM group and assign a policy to it:
- Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
- In the navigation pane, click
Groups
and then clickCreate New Group
. - In the
Group Name
box, type the name of the group and then clickNext Step
. - In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click
Next Step
. - Click
Create Group
.
Perform the following to add a user to a given group:
- Sign into the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
- In the navigation pane, click
Groups
. - Select the group to add a user to
- Click
Add Users To Group
- Select the users to be added to the group
- Click
Add Users
Perform the following to remove a direct association between an user and the policy:
- Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
- In the left navigation pane, click on Users.
- For each user:
- Select the user.
- Click on the
Permissions
tab. - Expand
Permissions policies
. - Click
X
for each policy; then click Detach or Remove (depending on policy type).
Run the pipeline
To run this pipeline from your terminal:
flowpipe pipeline run aws_cis.pipeline.cis_v300_1_15
Use this pipeline
To call this pipeline from your pipeline, use a step:
step "pipeline" "step_name" { pipeline = aws_cis.pipeline.cis_v300_1_15 }
Params
Name | Type | Required | Description | Default |
---|---|---|---|---|
database | connection.steampipe | Yes | Database connection string. | connection.steampipe.default |
notifier | notifier | Yes | The name of the notifier to use for sending notification messages. | notifier.default |
notification_level | string | Yes | The verbosity level of notification messages to send. Valid options are 'verbose', 'info', 'error'. | info |
approvers | list(notifier) | Yes | List of notifiers to be used for obtaining action/approval decisions. | notifier.default |
Outputs
This pipeline has no outputs.