π‘οΈ AWS Account Has No IAM Usersπ΄π
- Contextual name: π‘οΈ Account Has No IAM Usersπ΄π
- ID:
/ce/ca/aws/iam/account-has-no-iam-users - Tags:
Logicβ
- π§ wip.logic.yamlπ΄π
- π AWS Account
Internal Notes π β
Policy descriptionβ
Origin of the policyβ
This policy is based on CA policy ce:ca:aws:iam:account-has-no-users
There are a lot of similar policies, like https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/iam-user-present.html
Does this policy make sense?β
Seems like the original intent of the policy was force customers to use "IAM Users" instead of "root" user.
And obvious hypothesis was:
If you don't have 0 IAM Users, you definitely have to use "root" user to do anything.
But then the second obvious question is:
What about IAM Roles? Can you have 0 IAM Users and still perform every task in AWS with no issue?
And seems like it is not only possible, but also currently preferred way:
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp
Considering this, we can try to look for accounts without IAM Users and without IAM Roles at the same time, but realistically there will be none. Only completely idle accounts that were created and abandoned immediately.
... see more
