Ensure that there are no Amazon IAM users with administrator permissions (i.e. privileged users) available in your AWS account in order to adhere to IAM security best practices and implement the principle of least privilege (the practice of providing every user the minimal amount of access required to perform its tasks). A privileged IAM user is an IAM identity that has full access to AWS services and resources through the AdministratorAccess IAM managed policy. Cloud Conformity strongly recommends that the IAM administration and permission management within your AWS account should be divided between two well-defined roles: IAM Master and IAM Manager. The IAM Master and IAM Manager role policies must replace the AdministratorAccess policy attached to privileged IAM user in order to create and configure other IAM users and roles with limited permissions that follow the same principle of least privilege.
When an IAM user with administrator-level permissions (i.e. has authorization to modify or remove any resource, access any data within the AWS environment and use any service or component) is used by an inexperienced person within your organization, his actions can lead to severe security problems, data leaks, data loss or unexpected charges on your AWS bill.
To determine if each IAM group available in your AWS account has at least one user attached, perform the following:
To adhere to security best practices and implement the IAM Master and IAM Manager role policies for your privileged AWS IAM user, perform the following: