assign permission directly to an iam user

• Awards Season
• Big Stories
• Pop Culture
• Video Games
• Celebrities

Simplifying User Authentication: The Benefits of an IAM Solution

In today’s digital landscape, user authentication plays a critical role in ensuring the security of sensitive information. With the increasing number of online services and applications, managing user identities and access rights can quickly become a complex and time-consuming task. This is where an Identity and Access Management (IAM) solution comes into play. In this article, we will explore the benefits of implementing an IAM solution for your organization.

Enhanced Security

One of the primary advantages of an IAM solution is enhanced security. Traditional username and password authentication methods are no longer sufficient to protect against modern cyber threats. An IAM solution provides a robust framework for implementing multi-factor authentication, which adds an extra layer of security by requiring users to provide additional credentials such as a fingerprint scan or a one-time password.

Additionally, an IAM solution enables centralized management of user access rights. This means that administrators can easily control who has access to specific resources within the organization’s network. By implementing granular access controls, organizations can minimize the risk of unauthorized access and data breaches.

Streamlined User Experience

Implementing an IAM solution not only improves security but also enhances the user experience. With traditional authentication methods, users often need to remember multiple usernames and passwords for different applications. This can lead to frustration and increased support requests.

An IAM solution simplifies this process by providing users with a single set of credentials that grant them access to all authorized applications and services. Users no longer need to remember multiple passwords or go through separate login processes for each application they use. This streamlined approach saves time for both users and IT support teams.

Increased Productivity

Another significant benefit of an IAM solution is increased productivity within the organization. Without proper identity management practices in place, employees may waste valuable time trying to gain access to necessary resources or waiting for IT support assistance.

By implementing an IAM solution, organizations can significantly reduce these productivity bottlenecks. Users can quickly and securely access the resources they need, without unnecessary delays or interruptions. This allows employees to focus on their tasks and responsibilities, resulting in improved overall efficiency.

Compliance and Auditability

Compliance with industry regulations and internal policies is a top priority for organizations across various sectors. An IAM solution provides the necessary tools and controls to ensure compliance with regulatory requirements such as GDPR (General Data Protection Regulation) or HIPAA (Health Insurance Portability and Accountability Act).

IAM solutions enable organizations to enforce strong password policies, monitor user activity, and generate comprehensive audit logs. These features are crucial for demonstrating compliance during audits or investigations.

Furthermore, an IAM solution simplifies the process of revoking access rights when an employee leaves the organization or changes roles. This ensures that former employees or individuals with outdated privileges cannot gain unauthorized access to sensitive information.

In conclusion, implementing an IAM solution offers numerous benefits for organizations seeking to simplify user authentication processes. From enhanced security and streamlined user experience to increased productivity and compliance, an IAM solution is a valuable addition to any organization’s cybersecurity strategy. By investing in an IAM solution, organizations can protect their sensitive information while providing a seamless experience for their users.

This text was generated using a large language model, and select text has been reviewed and moderated for purposes such as readability.

MORE FROM ASK.COM

Creating a role to delegate permissions to an IAM user

You can use IAM roles to delegate access to your AWS resources. With IAM roles, you can establish trust relationships between your trusting account and other AWS trusted accounts. The trusting account owns the resource to be accessed and the trusted account contains the users who need access to the resource. However, it is possible for another account to own a resource in your account. For example, the trusting account might allow the trusted account to create new resources, such as creating new objects in an Amazon S3 bucket. In that case, the account that creates the resource owns the resource and controls who can access that resource.

After you create the trust relationship, an IAM user or an application from the trusted account can use the AWS Security Token Service (AWS STS) AssumeRole API operation. This operation provides temporary security credentials that enable access to AWS resources in your account.

The accounts can both be controlled by you, or the account with the users can be controlled by a third party. If the other account with the users is an AWS account that you do not control, then you can use the externalId attribute. The external ID can be any word or number that is agreed upon between you and the administrator of the third-party account. This option automatically adds a condition to the trust policy that allows the user to assume the role only if the request includes the correct sts:ExternalID . For more information, see How to use an external ID when granting access to your AWS resources to a third party .

For information about how to use roles to delegate permissions, see Roles terms and concepts . For information about using a service role to allow services to access resources in your account, see Creating a role to delegate permissions to an AWS service .

Creating an IAM role (console)

You can use the AWS Management Console to create a role that an IAM user can assume. For example, assume that your organization has multiple AWS accounts to isolate a development environment from a production environment. For high-level information about creating a role that allows users in the development account to access resources in the production account, see Example scenario using separate development and production accounts .

To create a role (console)

Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/ .

In the navigation pane of the console, choose Roles and then choose Create role .

Choose AWS account role type.

To create a role for your account, choose This account . To create a role for another account, choose Another AWS account and enter the Account ID to which you want to grant access to your resources.

The administrator of the specified account can grant permission to assume this role to any IAM user in that account. To do this, the administrator attaches a policy to the user or a group that grants permission for the sts:AssumeRole action. That policy must specify the role's ARN as the Resource .

If you are granting permissions to users from an account that you do not control, and the users will assume this role programmatically, select Require external ID . The external ID can be any word or number that is agreed upon between you and the administrator of the third party account. This option automatically adds a condition to the trust policy that allows the user to assume the role only if the request includes the correct sts:ExternalID . For more information, see How to use an external ID when granting access to your AWS resources to a third party .

Choosing this option restricts access to the role only through the AWS CLI, Tools for Windows PowerShell, or the AWS API. This is because you cannot use the AWS console to switch to a role that has an externalId condition in its trust policy. However, you can create this kind of access programmatically by writing a script or an application using the relevant SDK. For more information and a sample script, see How to Enable Cross-Account Access to the AWS Management Console in the AWS Security Blog.

If you want to restrict the role to users who sign in with multi-factor authentication (MFA), select Require MFA . This adds a condition to the role's trust policy that checks for an MFA sign-in. A user who wants to assume the role must sign in with a temporary one-time password from a configured MFA device. Users without MFA authentication cannot assume the role. For more information about MFA, see Using multi-factor authentication (MFA) in AWS

Choose Next .

IAM includes a list of the AWS managed and customer managed policies in your account. Select the policy to use for the permissions policy or choose Create policy to open a new browser tab and create a new policy from scratch. For more information, see Creating IAM policies . After you create the policy, close that tab and return to your original tab. Select the check box next to the permissions policies that you want anyone who assumes the role to have. If you prefer, you can select no policies at this time, and then attach policies to the role later. By default, a role has no permissions.

(Optional) Set a permissions boundary . This is an advanced feature.

Open the Set permissions boundary section and choose Use a permissions boundary to control the maximum role permissions . Select the policy to use for the permissions boundary.

For Role name , enter a name for your role. Role names must be unique within your AWS account. When a role name is used in a policy or as part of an ARN, the role name is case sensitive. When a role name appears to customers in the console, such as during the sign-in process, the role name is case insensitive. Because various entities might reference the role, you can't edit the name of the role after it is created.

(Optional) For Description , enter a description for the new role.

Choose Edit in the Step 1: Select trusted entities or Step 2: Add permissions sections to edit the use cases and permissions for the role.

(Optional) Add metadata to the role by attaching tags as key–value pairs. For more information about using tags in IAM, see Tagging IAM resources .

Review the role and then choose Create role .

Remember that this is only the first half of the configuration required. You must also give individual users in the trusted account permissions to switch to the role in the console, or assume the role programmatically. For more information about this step, see Granting a user permissions to switch roles .

Creating an IAM role (AWS CLI)

Creating a role from the AWS CLI involves multiple steps. When you use the console to create a role, many of the steps are done for you, but with the AWS CLI you must explicitly perform each step yourself. You must create the role and then assign a permissions policy to the role. Optionally, you can also set the permissions boundary for your role.

To create a role for cross-account access (AWS CLI)

Create a role: aws iam create-role

Attach a managed permissions policy to the role: aws iam attach-role-policy

Create an inline permissions policy for the role: aws iam put-role-policy

(Optional) Add custom attributes to the role by attaching tags: aws iam tag-role

For more information, see Managing tags on IAM roles (AWS CLI or AWS API) .

(Optional) Set the permissions boundary for the role: aws iam put-role-permissions-boundary

A permissions boundary controls the maximum permissions that a role can have. Permissions boundaries are an advanced AWS feature.

The following example shows the first two, and most common steps for creating a cross-account role in a simple environment. This example allows any user in the 123456789012 account to assume the role and view the example_bucket Amazon S3 bucket. This example also assumes that you are using a client computer running Windows, and have already configured your command line interface with your account credentials and Region. For more information, see Configuring the AWS Command Line Interface .

In this example, include the following trust policy in the first command when you create the role. This trust policy allows users in the 123456789012 account to assume the role using the AssumeRole operation, but only if the user provides MFA authentication using the SerialNumber and TokenCode parameters. For more information about MFA, see Using multi-factor authentication (MFA) in AWS .

If your Principal element contains the ARN for a specific IAM role or user, then that ARN is transformed to a unique principal ID when the policy is saved. This helps mitigate the risk of someone escalating their permissions by removing and recreating the role or user. You don't normally see this ID in the console because there is also a reverse transformation back to the ARN when the trust policy is displayed. However, if you delete the role or user, then the principal ID appears in the console because AWS can no longer map it back to an ARN. Therefore, if you delete and recreate a user or role referenced in a trust policy's Principal element, you must edit the role to replace the ARN.

When you use the second command, you must attach an existing managed policy to the role. The following permissions policy allows anyone who assumes the role to perform only the ListBucket action on the example_bucket Amazon S3 bucket.

To create this Test-UserAccess-Role role, you must first save the previous trust policy with the name trustpolicyforacct123456789012.json to the policies folder in your local C: drive. Then save the previous permissions policy as a customer managed policy in your AWS account with the name PolicyForRole . You can then use the following commands to create the role and attach the managed policy.

Remember that this is only the first half of the configuration required. You must also give individual users in the trusted account permissions to switch to the role. For more information about this step, see Granting a user permissions to switch roles .

After you create the role and grant it permissions to perform AWS tasks or access AWS resources, any users in the 123456789012 account can assume the role. For more information, see Switching to an IAM role (AWS CLI) .

Creating an IAM role (AWS API)

Creating a role from the AWS API involves multiple steps. When you use the console to create a role, many of the steps are done for you, but with the API you must explicitly perform each step yourself. You must create the role and then assign a permissions policy to the role. Optionally, you can also set the permissions boundary for your role.

To create a role in code (AWS API)

Create a role: CreateRole

For the role's trust policy, you can specify a file location.

Attach a managed permission policy to the role: AttachRolePolicy

Create an inline permission policy for the role: PutRolePolicy

(Optional) Add custom attributes to the user by attaching tags: TagRole

For more information, see Managing tags on IAM users (AWS CLI or AWS API) .

(Optional) Set the permissions boundary for the role: PutRolePermissionsBoundary

After you create the role and grant it permissions to perform AWS tasks or access AWS resources, you must grant permissions to users in the account to allow them to assume the role. For more information about assuming a role, see Switching to an IAM role (AWS API) .

Creating an IAM role (AWS CloudFormation)

For information about creating an IAM role in AWS CloudFormation, see the resource and property reference and examples in the AWS CloudFormation User Guide .

For more information about IAM templates in AWS CloudFormation, see AWS Identity and Access Management template snippets in the AWS CloudFormation User Guide .

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of it.

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.

检测到您已登录华为云国际站账号，为了您更好的体验，建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn

• Bahasa Indonesia

• Free Packages
• Elastic Cloud Server (ECS)
• Cloud Backup and Recovery (CBR)
• Host Security Service (HSS)
• Cloud Container Engine (CCE)
• Documentation
• Billing & Costs
• Service Tickets
• Unread Messages
• Partner Center
• Sign In Sign Up

• admin Log Out

Assigning Permissions to an IAM User

IAM users created without being added to any groups do not have any permissions. The administrator can assign permissions to these IAM users on the IAM console. IAM users can also assign permissions to themselves. After authorization, the users can use cloud resources in your account as specified by their permissions.

Constraints

A maximum of 500 permissions (including system-defined permissions and custom policies) can be assigned to each IAM user for enterprise projects.

• Log in to the IAM console as the administrator.

If you select this option, select the user groups to which the user will belong.

If you select this option, select permissions, click Next in the lower right, and then go to 4 .

• If you add an IAM user to the default group admin , the user becomes an administrator and can perform all operations on all cloud services.
• If you add a user to multiple user groups, the user inherits the permissions that are assigned to these groups.
• For details on the system-defined permissions of all cloud services supported by IAM, see System-defined Permissions .
• If you have enabled enterprise management, you cannot create projects in IAM.
• On the Select Scope page, select enterprise projects that the IAM user can access. You do not need to perform this step if you have selected Inherit permissions from user groups .

You can go to the Permissions > Authorization page and view or modify the permissions of the IAM user.

Previous topic: Creating an IAM User

Next topic: Logging In as an IAM User

Was this page helpful?

Thank you very much for your feedback. We will continue working to improve the documentation. See the reply and handling status in My Cloud VOC .

Which of the following issues have you encountered?

Feedback (optional)

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

For any further questions, feel free to contact us through the chatbot.

• Privacy Statement

Explore Huawei Cloud

Featured Services

Service and Support

Account and Payment

Quick Links

© 2023, Huawei Cloud Computing Technologies Co., Ltd. and/or its affiliates. All rights reserved.

Attaching IAM policies to an existing user

You must attach policies to the dedicated IAM user in order to grant specific permissions, which will allow AnyNet IRIS to function.

For detailed information about each policy, see Required IAM Managed Policies .

• Ensure you remain signed into AWS as the root user.

Navigate to IAM Services using the following URL:

https://console.aws.amazon.com/iam/

In the left-hand navigation menu, select Users .

The AnyNet IRIS user you created is listed.

Select the AnyNet IRIS IAM user name.

For example, select anynetuser . The IAM user Summary appears.

• On the Permissions tab, select Add permissions .
• Under Grant permissions , select Attach existing policies directly.
• Using the Search box, search for: AmazonEC2ReadOnlyAccess .

Select the check box alongside the returned result.

Search for each of the following policies in turn, ensuring you select the check box alongside each returned listing:

• AmazonEventBridgeFullAccess
• AmazonS3FullAccess
• AWSCloudFormationFullAccess
• AWSCloudTrail_FullAccess
• AWSIoTFullAccess
• AWSIoTLogging
• IAMFullAccess

If you select the wrong policy, clear the check mark alongside it.

Select Next: Review .

The selected policies are displayed.

Select Add permissions .

The updated Summary page appears.

Select Add inline policy .

On the JSON tab, replace the existing text with the following JSON script:

In the JSON text, replace < customer_id > with your AnyNet Cellular Connectivity for AWS IoT Customer ID.

If you cannot remember your Customer ID, see Viewing the AnyNet IRIS Welcome page .

Select Review policy .

The Review policy page appears.

• In the Name field, type a name for the policy, for example: AnyNetSecurePolicy .

Select Create policy .

The IAM user account Permissions policies updates to include the inline policy.

Where to next?

• Install and configure AnyNet IRIS
• Understand which IAM permissions are required for AWS integration. For more information, see Required IAM permissions .

Related resources

• AnyNet IRIS Quick Start Guide (PDF)

Proper Administrator Procedure in IAM Identity Center?

Hi, I'm an AWS administrator trying to transfer from the old IAM user approach to the new IAM Identity Center approach.

In the past, user Bob was attached to user group 'Developers' and then I gave Developers access to 'S3FullAccess' In the new system, user Bob is attached to group 'Developers' to an account 'Developers' and then attach a permissions set with 'S3FullAccess' to that account.

My question is, why is there this abstraction to accounts and why do they need their own email ? Am I expected to make a new email per group of users in AWS? This just seems like a redundancy.

My exact business case is that I'm trying to create a group of admins (from which there's already the management account we've been using) and then a group of developers (which have a different current UserGroup (without a separate email)) with least-privileged access to a few services for an application we're building, and then also a group for our web developers that maintain our website through AWS. I'd rather corral them in AWS internally without external email accounts as the old IAM currently does, and I don't understand the usefulness of abstracting them to accounts. Am I missing something? Is there another way to do this, or is there usefulness I'm not seeing?

To accomplish my current function with IAM Identity Center I need to have a management account (the first user), an application development account (account A), and a website development account (account B) correct?

• Most comments

Hello there,

Allow me address these questions individually.

"Why is there this abstraction to accounts and why do they need their own email?"

IAM Identity Center and IAM differ in how user management is configured. For IAM, you are able to create a user and assign them to a group and give the group permissions. For IAM Identity Center, users are created using a username and email [1]. IAM Identity Center utilizes (Secuiruty Assertion Markup Language) SAML [2] to authenticate into an application. Most SAML based applications, use email as an attribute for federation. When you create users in IAM Identity Center, each user should have their own username and email.

"Am I expected to make a new email per group of users in AWS?"

No, an email does not need to be associated with a group, only a user. With IAM Identity Center you are able to manage access to AWS account through provisioning permission sets to a user or group [3]. Permission Sets allow you to manage policies and permission through user/groups within multiple accounts in your organization. Permission sets include AWS IAM managed policies, and you can also be custom made[4].

Taking your use case into account, you create a number of users each with their own usernames and emails. Then, you create a group in IAM Identity Center that gives admin permissions. You can then create another user and assign them a permission set directly which offers Developers or Web developers permissions. Alternatively, you assign the create user to a group which has the Developers or Web developers permission set attached to group. For more information, see below.

Account assignments for AWS IAM Identity Center are a combination of the AWS account, permission set, and assigned users/groups. Therefore, in order to attach a permission set to an account, you will need to select the users/groups that will be able to access that account via the permission set. To view or modify user/group and permission set combinations follow these steps:

• Navigate to the AWS accounts page in the AWS Identity Center console
• Click on an account name you wish provision permission sets in.
• Under the "users and groups" tab, you can see all identities and the permission sets they have access to.
• Choose can add users or groups from this page using the buttons on the right side.
• Select permission sets and new users or groups.
• Save changes to provision permission sets.
• Repeat steps 1-6 to add additional permission sets for a user or group in an account (or by selecting the user or group in an account and modifying the permission set associations).

For more information on this process, see reference [5].

"To accomplish my current function with IAM Identity Center I need to have a management account (the first user), an application development account (account A), and a website development account (account B) correct?"

Not quite, that is one way you can achieve your goal. If you have multiple accounts set up and attached to an organization, you can create permission sets and assign them to accounts and give your users access to those accounts [6]. Another way you can achieve you use case is by having a group called Admins which have the AdministatorAccess permission set. A group called developers which has a custom permission set which allows S3FullAccess. Then finally a group called Web Developers which has a custom permission set including the needed IAM policies. From there you can add your Identity Center users into those groups or assign permission sets to them individually. Please note that this all can be done within one account. For more information I have provided links below.

Feel free to reach back out if you need additional clarification.

• [1] Emails in Identity Center: https://docs.aws.amazon.com/singlesignon/latest/userguide/users-groups-provisioning.html#username-email-unique
• [2] SAML Federation: https://docs.aws.amazon.com/singlesignon/latest/userguide/samlfederationconcept.html
• [3] Permission Sets: https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html
• [4] Custom Permissions: https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetcustom.html
• [5] Single sign-on access: https://docs.aws.amazon.com/singlesignon/latest/userguide/useraccess.html
• [6] Multi-account permissions: https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-accounts.html

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content

• Role switch IAM Identity Center user schmidtjoe lg ... asked 9 months ago lg ...
• What is the difference between a user created in IAM and a user created in IAM Identity Center? Accepted Answer meallhour lg ... asked 5 months ago lg ...

• Cannot create an IAM Identity Center administrative user following the documentation Accepted Answer Onkel Tem lg ... asked 3 months ago lg ...

• Knowledge Base
• Amazon Web Services
• AWS Identity and Access Management (IAM)

Receive Permissions via IAM Groups Only

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Ensure that your Amazon IAM users are getting their access permissions only through IAM groups in order to follow the Principle of Least Privilege (POLP) and allow you to manage more efficiently user-based access to your AWS resources.

This rule can help you with the following compliance standards:

For further details on compliance standards supported by Conformity, see here .

This rule can help you work with the AWS Well-Architected Framework .

This rule resolution is part of the Conformity Security & Compliance tool for AWS .

IAM users are granted access to AWS cloud services, resources, and data through IAM policies. You can define policies for an IAM user by: 1) editing the user policy directly, 2) attaching a policy directly to a user, 3) adding the user to an IAM group and assigning the required policy to that group. To follow IAM security best practices, only the third method is recommended. Assigning access policies only through IAM groups unifies permissions management to a single, flexible layer, consistent with organizational functional roles, therefore instead of defining permissions for individual IAM users, it is recommended to create IAM groups that relate to job functions (administrators, developers, testers, etc.) and add users to these groups as needed (or switch users between groups as they receive different roles in your organization). All the users within an IAM group inherit the permissions assigned to the user group. In this way, you can make changes for everyone within a user group in just one place. By unifying permissions management, the likelihood of excessive permissions is reduced.

To determine if your IAM users receive permissions through IAM groups only, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/ .

03 In the navigation panel, under Access management , choose Users .

04 Click on the name of the IAM user that you want to examine.

05 Select the Permissions tab to view the identity-based policies attached directly to the selected IAM user.

06 In the Permissions policies section, check for any managed and/or inline policies attached to the selected IAM user. If one or more identity-based policies are attached to the user, the selected Amazon IAM user does not receive access permissions through IAM groups only.

07 Repeat steps no. 4 – 6 for each IAM user that you want to examine, available within your AWS cloud account.

Using AWS CLI

01 Run list-users command (OSX/Linux/UNIX) using custom query filters to list the names of all IAM users available in your AWS account:

02 The command output should return a table with the requested IAM user identifiers:

03 Run list-attached-user-policies command (OSX/Linux/UNIX) using the name of the Amazon IAM user that you want to examine as the identifier parameter and custom filtering to list the name of each managed policy attached to the selected IAM user:

04 The command output should return a table with the requested IAM managed policy name(s):

05 Run list-user-policies command (OSX/Linux/UNIX) using the name of the Amazon IAM user that you want to examine as the identifier parameter and custom query filters to list the name of each inline policy associated with the selected IAM user:

06 The command output should return a table with the requested inline IAM policy name(s):

07 If the selected Amazon IAM user is associated with one or more managed policies (as shown at step no. 4) and/or inline policies (as shown at step no. 6), the IAM user has one or more identity-based policies attached, therefore the selected user does not receive access permissions through IAM groups only.

08 Repeat steps no. 3 – 7 for each IAM user that you want to examine, available in your AWS cloud account.

Remediation / Resolution

To change the permissions configuration for your Amazon IAM users in order to receive access permissions through IAM groups only, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

• Step 1: Remove the associated policy from your IAM user: { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Remove policy from Amazon IAM user", "Resources": { "IAMUser": { "Type": "AWS::IAM::User", "Properties": { "UserName": "cc-database-manager" } }, "IAMUserPolicy": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "cc-rds-full-access", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "rds:*", "Resource": "*" } ] }, "Users": [ { "Ref": "IAMUser" } ] } } } }
• Step 2: Attach the policy removed from your IAM user to the new IAM group, and add your IAM user to this group: { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "IAMGroup": { "Type": "AWS::IAM::Group", "Properties": { "GroupName": "cc-database-admin-group" } }, "IAMUser": { "Type": "AWS::IAM::User", "Properties": { "UserName": "cc-database-manager" } }, "IAMGroupPolicy": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "cc-rds-full-access", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "rds:*", "Resource": "*" } ] }, "Groups": [ { "Ref": "IAMGroup" } ] } }, "AddUserToGroup": { "Type": "AWS::IAM::UserToGroupAddition", "Properties": { "GroupName": { "Ref": "IAMGroup" }, "Users": [ { "Ref": "IAMUser" } ] } } } }

02 CloudFormation template (YAML):

• Step 1: Remove the associated policy from your IAM user: AWSTemplateFormatVersion: '2010-09-09' Description: Remove policy from Amazon IAM user Resources: IAMUser: Type: AWS::IAM::User Properties: UserName: cc-database-manager IAMUserPolicy: Type: AWS::IAM::Policy Properties: PolicyName: cc-rds-full-access PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: 'rds:*' Resource: '*' Users: - Ref: IAMUser
• Step 2: Attach the policy removed from your IAM user to the new IAM group, and add your IAM user to this group: AWSTemplateFormatVersion: '2010-09-09' Resources: IAMGroup: Type: AWS::IAM::Group Properties: GroupName: cc-database-admin-group IAMUser: Type: AWS::IAM::User Properties: UserName: cc-database-manager IAMGroupPolicy: Type: AWS::IAM::Policy Properties: PolicyName: cc-rds-full-access PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: 'rds:*' Resource: '*' Groups: - !Ref 'IAMGroup' AddUserToGroup: Type: AWS::IAM::UserToGroupAddition Properties: GroupName: !Ref 'IAMGroup' Users: - !Ref 'IAMUser'

Using Terraform ( AWS Provider )

01 Terraform configuration file (.tf):

• Step 1: Remove the associated policy from your IAM user: terraform destroy -target aws_iam_policy.cc-rds-full-access
• Step 2: Attach the policy removed from your IAM user to the new IAM group, and add your IAM user to this group: terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 4.0" } } required_version = ">= 0.14.9" } provider "aws" { profile = "default" region = "us-east-1" } resource "aws_iam_user" "iam-user" { name = "cc-database-manager" } resource "aws_iam_policy" "iam-policy" { name = "cc-rds-full-access" policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "rds:*", "Resource": "*" } ] } EOF } resource "aws_iam_group" "iam-group" { name = "cc-database-admin-group" } resource "aws_iam_policy_attachment" "iam-group-attachment" { name = "iam-group-attachment" groups = [aws_iam_group.iam-group.name] policy_arn = aws_iam_policy.iam-policy.arn } resource "aws_iam_user_group_membership" "iam-user-group-membership" { user = aws_iam_user.iam-user.name groups = [ aws_iam_group.iam-group.name ] }

03 In the navigation panel, under Access management , choose User groups .

04 Click on the Create group button from the console top menu to initiate the IAM group setup.

05 On the Create user group setup page, perform the following operations:

• Enter a unique name for your new IAM group in the User group name box.
• For Attach permissions policies – Optional , select the permissions policies required to provide access to the group members. Follow the Principle of Least Privilege (POLP) and give the group members the minimal amount of access required to perform their tasks. You can configure permissions that relate to job functions such as administrators, developers, and testers, and add users to the group as needed. All the IAM users added to this group (i.e. group members) will inherit the permissions assigned to the group at this step.
• Choose Create group to create your new IAM group.

06 Click on the name of the newly created Amazon IAM group.

07 Select the Users tab and choose Add users .

08 Select the IAM user(s) that you want to add to your new group. Choose Add users to save the changes.

09 In the navigation panel, under Access management , choose Users .

10 Click on the name of the user added to the new IAM group at step no. 8.

11 Select the Permissions tab to view the identity-based policies attached to the selected IAM user.

12 Perform the following actions to detach the identity-based policies from the selected user:

• In the Permissions policies section, under Attached directly , detach each managed/inline policy from the selected IAM user by clicking the x (detach) icon.
• Inside the Detach policy confirmation box, choose Detach to confirm the action.

13 Repeat steps no. 10 – 12 for each user assigned to the IAM group created at step no. 5.

01 Run create-group command (OSX/Linux/UNIX) to create a new IAM group for your users:

02 The command output should return the metadata available for the new IAM group:

03 Run attach-group-policy command (OSX/Linux/UNIX) to attach the permissions policies required to provide access to the group members. Follow the Principle of Least Privilege and give the group members the minimal amount of access required to perform their tasks. You can configure permissions that relate to job functions such as administrators, developers, and accounting, and add users to the group as needed. All the group members will inherit the permissions assigned to the IAM group at this step (the command does not produce an output):

04 Run add-user-to-group command (OSX/Linux/UNIX) to add the specified IAM user to your new Amazon IAM group. The user will automatically inherit the IAM group policies:

05 To remove any managed policies attached directly to the IAM user added to the new group at the previous step, run detach-user-policy command (OSX/Linux/UNIX) using the policy ARN as the identified parameter (the command does not produce an output):

06 To remove any inline policies from the new IAM group member, run delete-user-policy command (OSX/Linux/UNIX) using the policy name as the identified parameter (the command does not produce an output):

07 Repeat steps no. 5 and 6 for each user assigned to the IAM group created at step no. 1.

• AWS Documentation
• Security best practices in IAM
• Managed policies and inline policies
• Create an administrative user
• Attaching a policy to an IAM user group
• Adding and removing users in an IAM user group
• CIS Benchmark Documentation
• CIS Benchmarks
• AWS Command Line Interface (CLI) Documentation
• list-attached-user-policies
• list-user-policies
• create-group
• attach-group-policy
• add-user-to-group
• detach-user-policy
• delete-user-policy

Related IAM rules

• IAM Groups with Administrative Privileges (Security)
• Credentials Last Used (Sustainability, security)
• IAM Users Unauthorized to Edit Access Policies (Security)
• Enable MFA for IAM Users with Console Password (Security)

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Severity: Medium