π AWS Account Has No IAM Users π΄π
- Contextual name: π Account Has No IAM Users π΄π
- ID:
/ce/ca/aws/iam/account-has-no-iam-users - Located in: π AWS IAM
Flagsβ
- π Policy with internal.md
- π Policy without categories
- π΄ Policy without description.md
- π΄ Policy without remediation.md
- π Policy without type
- π WIP policy
Logicβ
- π§ wip.logic.yaml π΄π
- π AWS Account
Internal Notes π β
Policy descriptionβ
Origin of the policyβ
This policy is based on CA policy ce:ca:aws:iam:account-has-no-users
There are a lot of similar policies, like https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/iam-user-present.html
Does this policy make sense?β
Seems like the original intent of the policy was force customers to use "IAM Users" instead of "root" user.
And obvious hypothesis was:
If you don't have 0 IAM Users, you definitely have to use "root" user to do anything.
But then the second obvious question is:
What about IAM Roles? Can you have 0 IAM Users and still perform every task in AWS with no issue?
And seems like it is not only possible, but also currently preferred way:
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp
Considering this, we can try to look for accounts without IAM Users and without IAM Roles at the same time, but realistically there will be none. Only completely idle accounts that were created and abandoned immediately.
... see more
