Ensure there is an IAM group that has the types of permissions that administrators typically need, available within your AWS account. Prior to running this rule by the Cloud Conformity engine, the name of the admin group must be specified in the rule settings, on your Cloud Conformity account dashboard.
An IAM group is a collection of IAM users that you can use to make the access permissions easier to manage for the assigned users. An IAM group that provides administrator-level permissions is a group that has attached an IAM policy with the following statement: "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ]. When an IAM user gets assigned to an admin group, the IAM identity receives automatically the group privileges which grants him the authorization to provision, configure or remove any AWS resource and use any AWS service available. The IAM admin group will allow you to add or remove IAM users that require administrative privileges to your AWS resources.
Audit
To determine if there is an IAM group that provides administrative privileges available in your AWS account, perform the following:
Remediation / Resolution
To create an Amazon IAM group that provides administrative permissions to the IAM users assigned to the group, required for administration purposes, perform the following actions:
References
- AWS Documentation
- Identities (Users, Groups, and Roles)
- IAM Groups
- IAM Best Practices
- IAM JSON Policy Reference
- CIS Amazon Web Services Foundations
- AWS Command Line Interface (CLI) Documentation
- iam
- list-groups
- list-attached-group-policies
- get-policy-version
- create-policy
- create-group
- attach-group-policy
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
IAM Group with Administrator Privileges In Use
Risk level: Medium