π AWS IAM User is not managed centrally in multi-account environments π’
- Contextual name: π AWS IAM User is not managed centrally in multi-account environments π’
- ID:
/ce/ca/aws/iam/user-is-not-managed-centrally - Located in: π AWS IAM
Flagsβ
- π’ Impossible policy
- π’ Policy with categories
- π’ Policy with type
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Similar Policiesβ
- Cloud Conformity
Descriptionβ
Descriptionβ
In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provided via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations.
Rationaleβ
Centralizing IAM user management to a single identity store reduces complexity and thus the likelihood of access management errors.
Auditβ
For multi-account AWS environments with an external identity provider:
- Determine the master account for identity federation or IAM user management.
- Login to that account through the AWS Management Console.
- Click
Services.- Click
IAM.- Click
Identity providers.- Verify the configuration.
For multi-account AWS environments with an external identity provider, as well as for those implementing AWS Organizations without an external identity provider:
- Determine all accounts that should not have local users present.
- Log into the AWS Management Console.
... see more
Remediationβ
Remediationβ
The remediation procedure will vary based on the individual organization's implementation of identity federation and/or AWS Organizations with the acceptance criteria that no non-service IAM users, and non-root accounts, are present outside the account providing centralized IAM user management.