Logo of Trend Micro

Check for Unapproved IAM Users Existence

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: IAM-058

Ensure that all Amazon IAM users available within AWS account are safelisted (trusted) in order to protect your AWS cloud resources against unapproved access and meet compliance requirements within your organization. Prior to running this rule by the Cloud Conformity engine, the list with the approved IAM users (i.e. IAM user safelist) must be configured within the rule settings, on the Cloud Conformity account dashboard.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

When Amazon IAM user safelisting is used, you can explicitly specify the users that are allowed to access your AWS services and resources and mark all other users as unapproved or unauthorized. To adhere to Amazon IAM security best practices, you can either remove the untrusted IAM users or safelist them after a complete compliance review.

Audit

To identify any unapproved Amazon IAM users available in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity account, access Check for Unapproved IAM User Existence conformity rule settings and identify the Amazon IAM user safelist, defined for your AWS account.

02 Sign in to the AWS Management Console.

03 Navigate to the IAM dashboard at https://console.aws.amazon.com/iam/.

04 In the left navigation panel, under Access Management, choose Users to access all your existing IAM users. Compare each user listed on the Users page against the IAM user safelist identified at step no. 1 to determine if there are IAM users that are not defined within the IAM user safelist. If not all verified users are safelisted within the conformity rule settings, there are unapproved Amazon IAM users currently available in AWS account.

Using AWS CLI

01 Sign in to your Cloud Conformity account, access Check for Unapproved IAM User Existence conformity rule settings and identify the Amazon IAM user safelist, defined for your AWS account.

02 Run list-users command (OSX/Linux/UNIX) with custom query filters to list the names of all IAM users currently available within your AWS account: 

aws iam list-users
	--output table
	--query 'Users[*].UserName'

03 The command output should return the names (identifiers) of all existing Amazon IAM users: 

-------------------------
|       ListUsers       |
+-----------------------+
|  cc-rds-manager       |
|  cc-ec2-developers    |
|  cc-platform-admin    |
|  cc-accounting-dep    |
|  cc-iam-manager       |
|  cc-sysops-admin      |
|  cc-aurora-developer  |
+-----------------------+

Compare each user returned by the list-users command output against the IAM user safelist identified at step no. 1 to determine if there are IAM users that are not defined within the IAM user safelist. If not all verified users are safelisted in the conformity rule settings, there are unapproved Amazon IAM users currently available within AWS account.

Remediation / Resolution

Case A: To remove any unapproved (unauthorized) IAM users from your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to the IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, under Access Management, choose Users to access all the IAM users available in your AWS account.

04 Select the unapproved IAM user that you want to remove (see Audit section part I to identify the right user).

05 Click on the Delete User button from the dashboard top menu to initiate the user removal process.

06 In the Delete User dialog box, review the user data to make sure it's safe to delete it as the user will be permanently deleted (including all its data, user security credentials, and user inline policies), then click Yes, delete to confirm the action.

07 Repeat steps no. 4 – 6 to remove any other unapproved IAM users available in your AWS account.

Using AWS CLI

01 Unlike the AWS Management Console, to delete an IAM user programmatically, you must remove first the item(s) attached to the user manually, or the deletion request fails. For more information, see Deleting an IAM User page. For example, to remove the user password for the specified IAM user, which terminates the user's ability to access AWS services through the AWS Management Console, run delete-login-profile command (OSX/Linux/UNIX) using the name of the Amazon IAM user that you want to delete as identifier parameter (if successful, the command does not return an output): 

aws iam delete-login-profile
	--user-name cc-rds-manager

02 Once all the items associated with the specified IAM user are removed and/or detached, run delete-user command (OSX/Linux/UNIX) to remove the unapproved (unauthorized) Amazon IAM user (if successful, the command does not produce an output): 

aws iam delete-user
	--user-name cc-rds-manager

03 Repeat step no. 1 and 2 for each unapproved IAM user available within your AWS account.

Case B: If the selected unapproved Amazon IAM user is vital for your AWS cloud infrastructure and resources, or you just want to mark it as compliant, add the selected user to the IAM user safelist, defined in the rule settings, on your Cloud Conformity account dashboard.

References

Related IAM rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Check for Unapproved IAM Users Existence

Risk level: Medium