๐ก๏ธ AWS IAM User is not managed centrally in multi-account environments๐ขโช
- Contextual name: ๐ก๏ธ AWS IAM User is not managed centrally in multi-account environments๐ขโช
- ID:
/ce/ca/aws/iam/user-is-not-managed-centrally - Tags:
- โช Impossible policy
- ๐ข Policy with categories
- ๐ข Policy with type
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Similar Policiesโ
- Cloud Conformity: AWS Multi-Account Centralized Management
Descriptionโ
Descriptionโ
In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provided via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations.
Rationaleโ
Centralizing IAM user management to a single identity store reduces complexity and thus the likelihood of access management errors.
Auditโ
For multi-account AWS environments with an external identity provider:
- Determine the master account for identity federation or IAM user management.
- Login to that account through the AWS Management Console.
- Click
Services.- Click
IAM.- Click
Identity providers.- Verify the configuration.
For multi-account AWS environments with an external identity provider, as well as for those implementing AWS Organizations without an external identity provider:
- Determine all accounts that should not have local users present.
- Log into the AWS Management Console.
... see more
Remediationโ
Remediationโ
The remediation procedure will vary based on the individual organization's implementation of identity federation and/or AWS Organizations with the acceptance criteria that no non-service IAM users, and non-root accounts, are present outside the account providing centralized IAM user management.