Open menu
-->

AWS IAM User Present

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 10 November 2017
Security

Risk level: Medium (should be achieved)

Ensure that the access to your AWS services and resources is made only through individual IAM users instead of the root account.

This rule resolution is part of the Cloud Conformity Security Package

Using individual IAM users (with specific set of permissions) to access your AWS environment will eliminate the risk of compromising your root account credentials. To protect your AWS root account and adhere to IAM security best practices, Cloud Conformity strongly recommends creating IAM users for everyday work with AWS in order to avoid using the root credentials.

Audit

To determine if there are any IAM users created in your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Users.

04 On the Users page, check the list for any available IAM users. If the users list is empty and a “No records found.” message is displayed, there are no IAM users created and the access to your account is made via the root user (not recommended).

05 Repeat steps no. 1 – 4 for all the AWS accounts that you want to examine.

Using AWS CLI

01 Run list-users command (OSX/Linux/UNIX) to list all IAM users within your AWS account:

aws iam list-users

02 The command output should return an array that contains the metadata for all the IAM users currently available in your account. Otherwise, an empty array is returned:

{
    "Users": []
}

If the Users array is empty, i.e. [ ], there are no IAM users created for accessing the AWS account, instead the access is made through the root user (not recommended).

03 Repeat steps no. 1 and 2 for all the AWS accounts that you want to examine via CLI.

Remediation / Resolution

To create IAM users necessary for everyday access to your AWS account, perform the following:

Note: As example, a new IAM user with administrative privileges will be created to eliminate the need for using the root account. However, it is recommended to create individual IAM users for all the different roles within your organization such as administrators, developers, security and compliance managers, etc.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 On the Users page, click Create New Users button set up the new IAM user.

05 On the Create User page, under Enter User Names, enter the name for your user in the first box. You can create multiple IAM users at once if necessary.

06 Make sure that the Generate an access key for each user checkbox is selected if you need access keys for your user so that AWS can generate the key pair for you.

07 Click Create to create the IAM user.

08 Click Download Credentials to save the file with your user access key (Access Key ID and Secret Access Key) to a secure location on your machine. Once the file is downloaded, click the Close link to return to the Users page.

09 Click on the newly created IAM user name to access its configuration page.

10 Select the Permissions tab and click the Attach Policy button to define the user access permissions.

11 On the Attach Policy page, select the AdministratorAccess managed policy and click Attach Policy. The selected policy will provide the IAM user full admin privileges in order to replace the use of the root account.

12 Select the Security Credentials tab to set up a password for the IAM user, required to access the account via AWS Management Console.

13 Under Sign-In Credentials section, click the Manage Password button to assign a new password.

14 On the Manage Password page, select one of the following options to create the user password:

  1. Select Assign an auto-generated password if you want AWS IAM to generate automatically a new password for you.
  2. Select Assign a custom password to provide your own custom password.

15 Click Download Credentials to save the file that contains your new IAM user password to a secure location on your machine. Once the file is downloaded, click the Close link to return to the user configuration page.

16 In the left navigation panel, choose Dashboard and copy the sign-in link available under IAM users sign-in link section to your clipboard.

17 Sign out from your root account, paste the sign-in link copied at the previous step into your browser address bar and test your new IAM user credentials.

Using AWS CLI

01 Run create-user command (OSX/Linux/UNIX) to create a new IAM user. The following command example creates an IAM user named aws-account-administrator:

aws iam create-user
	--user-name aws-account-administrator

02 If successful, the command output should return the IAM new user metadata (username, ID, ARN, etc):

{
    "User": {
        "UserName": "aws-account-administrator",
        "Path": "/",
        "CreateDate": "2016-05-19T18:47:31.683Z",
        "UserId": "AAAABBBBCCCCDDDDEEEE",
        "Arn": "arn:aws:iam::123456789012:user/aws-account-administrator"
    }
}

03 Run attach-user-policy command (OSX/Linux/UNIX) to attach the specified managed policy, identified by its ARN, to the newly created IAM user (if successful, the command is not returning an output):

 iam attach-user-policy
	--policy-arn arn:aws:iam::aws:policy/AdministratorAccess
	--user-name aws-account-administrator

04 Run create-login-profile command (OSX/Linux/UNIX) to assign a password for the IAM user (replace highlighted password placeholder with your own password):

aws iam create-login-profile
	--user-name aws-account-administrator
	--password <password>
	--no-password-reset-required

05 The command output should return the IAM user login profile metadata:

{
    "LoginProfile": {
        "UserName": "aws-account-administrator",
        "CreateDate": "2016-05-19T34:12:30.683Z",
        "PasswordResetRequired": false
    }
}

References

Publication date May 20, 2016