-
Notifications
You must be signed in to change notification settings - Fork 16
/
data.yaml
71 lines (63 loc) · 3.3 KB
/
data.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
metadata:
id: a72cb3ec-36ae-56b0-815f-9f986f0d499f
name: Ensure IAM Users Receive Permissions Only Through Groups
profile_applicability: '* Level 1'
description: |-
IAM users are granted access to services, functions, and data through IAM policies.
There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy.
Only the third implementation is recommended.
rationale: |-
Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles.
By unifying permissions management, the likelihood of excessive permissions is reduced.
audit: |-
Perform the following to determine if an inline policy is set or a policy is directly attached to users:
1. Run the following to get a list of IAM users:
```
aws iam list-users --query 'Users[*].UserName' --output text
```
2. For each user returned, run the following command to determine if any policies are attached to them:
```
aws iam list-attached-user-policies --user-name <iam_user>
aws iam list-user-policies --user-name <iam_user>
```
3. If any policies are returned, the user has an inline policy or direct policy attachment.
remediation: |-
Perform the following to create an IAM group and assign a policy to it:
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
2. In the navigation pane, click `Groups` and then click `Create New Group` .
3. In the `Group Name` box, type the name of the group and then click `Next Step` .
4. In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click `Next Step` .
5. Click `Create Group`
Perform the following to add a user to a given group:
6. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
7. In the navigation pane, click `Groups`
8. Select the group to add a user to
9. Click `Add Users To Group`
10. Select the users to be added to the group
11. Click `Add Users`
Perform the following to remove a direct association between a user and policy:
12. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
13. In the left navigation pane, click on Users
14. For each user:
- Select the user
- Click on the `Permissions` tab
- Expand `Permissions policies`
- Click `X` for each policy; then click Detach or Remove (depending on policy type)
impact: ''
default_value: ''
references: |-
1. http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
2. http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html
section: Identity and Access Management
version: '1.0'
tags:
- CIS
- AWS
- CIS 1.15
- Identity and Access Management
benchmark:
name: CIS Amazon Web Services Foundations
version: v1.5.0
id: cis_aws
rule_number: '1.15'
posture_type: cspm