Ensure whether IAM users are members of at least one IAM group

It is recommended to make sure that user belongs to at least one group, it will helps to control the permissions

Risk Level: Low
Cloud Entity: IAM User
CloudGuard Rule ID: D9.AWS.IAM.81
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

IamUser should have attachedGroups length()>0 or name regexMatch /^<root_account>$/

REMEDIATION

From Portal

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the left navigation pane, click on Users
  3. For each User without group:
  4. Click on the User name
  5. Go to Groups
  6. click on Add user to groups
  7. Select relevant group
  8. Click on 'Add to Groups'

From TF
To add user to a group, add following:

resource "aws_iam_group_membership" "add_user_to_group_example" {
	...
	users = [
	USER-1-NAME,
	USER-2-NAME,
	]
	group = GROUP-NAME
	...
}

From Command Line
To add iam user to group, run:

aws iam add-user-to-group --user-name USER_NAME --group-name GROUP_NAME

References

  1. https://docs.aws.amazon.com/config/latest/developerguide/iam-user-group-membership-check.html
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_manage.html

IAM User

An IAM user is an entity that you create in AWS to represent the person or service that uses it to interact with AWS. A user in AWS consists of a name and credentials.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset