Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments

Centralizing IAM user management to a single identity store reduces complexity and thus the likelihood of access management errors.

Risk Level: Low
Cloud Entity: IAM SAML Identity Provider
CloudGuard Rule ID: D9.AWS.IAM.66
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

List<IamSAMLProvider> should have items with [id] length() > 0

REMEDIATION

Note: This remediation procedure needs to be assessed manually, and will vary based on the individual organization's implementation of identity federation and/or AWS Organizations with the acceptance criteria that no non-service IAM users, and non-root accounts, are present outside the account providing centralized IAM user management.

From Portal
For multi-account AWS environments with an external identity provider:
*For multi-account AWS environments implementing AWS Organizations without an external identity provider, skip to step 5.

  1. Login into the master account for identity federation or IAM user management
  2. Go to 'IAM'
  3. In the menu, under 'Access management', choose 'Identity providers'
  4. Verify the configurations
  5. Determine all accounts that should not have local users present and switch role into each identified account
  6. Go to 'IAM'
  7. In the menu, under 'Access management', choose 'Users'
  8. Confirm that no IAM users representing individuals are present

References

  1. https://workbench.cisecurity.org/sections/615823/recommendations/1009540
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html
  3. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create.html

IAM SAML Identity Provider

An IAM SAML 2.0 identity provider is an entity in IAM that describes an external identity provider (IdP) service that supports the SAML 2.0 (Security Assertion Markup Language 2.0) standard. You use an IAM identity provider when you want to establish trust between a SAML-compatible IdP such as Shibboleth or Active Directory Federation Services and AWS, so that users in your organization can access AWS resources. IAM SAML identity providers are used as principals in an IAM trust policy.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CIS Foundations v. 1.3.0
  • AWS CIS Foundations v. 1.4.0
  • AWS CIS Foundations v. 1.5.0
  • AWS CIS Foundations v. 2.0.0
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset