Ensure that all Amazon IAM users available within AWS account are safelisted (trusted) in order to protect your AWS cloud resources against unapproved access and meet compliance requirements within your organization. Prior to running this rule by the Cloud Conformity engine, the list with the approved IAM users (i.e. IAM user safelist) must be configured within the rule settings, on the Cloud Conformity account dashboard.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When Amazon IAM user safelisting is used, you can explicitly specify the users that are allowed to access your AWS services and resources and mark all other users as unapproved or unauthorized. To adhere to Amazon IAM security best practices, you can either remove the untrusted IAM users or safelist them after a complete compliance review.
Audit
To identify any unapproved Amazon IAM users available in your AWS account, perform the following actions:
Remediation / Resolution
Case A: To remove any unapproved (unauthorized) IAM users from your AWS account, perform the following actions:
Case B: If the selected unapproved Amazon IAM user is vital for your AWS cloud infrastructure and resources, or you just want to mark it as compliant, add the selected user to the IAM user safelist, defined in the rule settings, on your Cloud Conformity account dashboard.
References
- AWS Documentation
- AWS IAM FAQs
- Managing IAM Users
- AWS Command Line Interface (CLI) Documentation
- iam
- list-users
- delete-login-profile
- delete-user
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Check for Unapproved IAM Users Existence
Risk level: Medium