Skip to main content
All CollectionsMonitoringTests
Test 217: AWS IAM Group-Based Access Control
Test 217: AWS IAM Group-Based Access Control

Drata validates that IAM users are granted permissions only through groups and no users with inline policy or direct policy attachments.

Updated over a month ago

Drata validates that IAM users are granted permissions only through groups and that there are no users with in line policy or direct policy attachments.

IAM users are granted access to services, functions, and data through IAM policies.

Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.

ASSOCIATED DRATA CONTROL

This test is part of the Principle of Least Privilege control (DCF-776) that ensures your company assigns permissions through groups or roles based on the principle of least privilege and limits the use of wild-card permissions or broad-access patterns.

WHAT TO DO IF A TEST FAILS

If Drata finds that there are AWS IAM users with an inline policy or direct policy attachment, the test will fail. Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.

STEPS TO REMEDIATE

  1. Create an IAM group and assign policies to it based on the principle of least privilege.

  2. Add failing users to the IAM group.

  3. Remove the direct association between the AWS IAM users and the access policies for the failing users who had in line policy or direct policy attachments.

Center for Internet Security (CIS)

This test aligns with the Center for Internet Security’s (CIS) foundation benchmarks which provides prescriptive guidance for establishing a secure baseline configuration for Amazon Web Services. To learn more, refer to the Center for Internet Security (CIS) section.

Did this answer your question?