Sprinto Dashboard

How to resolve Sprinto check to ensure that no AWS user gets assigned with IAM policies directly

About:

Sprinto check: No user account has a policy attached directly

The above-mentioned Sprinto check verifies that no AWS Identity and Access Management (IAM) user accounts have policies attached directly to them. Instead, policies should be attached to groups, and users should be assigned to those groups, following the principle of least privilege.

Purpose:

The purpose of this check is to ensure that your AWS environment follows best practices for IAM user management and access control. By attaching policies to groups instead of individual users, you can simplify policy management and ensure consistent access permissions across users with similar roles or responsibilities. This approach also makes it easier to audit and review permissions, as well as add or remove users from groups without modifying individual user policies.

How to fix this check: Note: Mark the above Sprinto check as a "Special case" if your integrated AWS account doesn’t have any IAM user or doesn’t wish to detach the IAM policy from the user. Refer to marking Sprinto check as a special case for detailed steps.

Before you begin

  • Ensure you have the administrator privilege to manage AWS IAM users and policies.

Moving Policies to Groups

Follow the below steps to move policies at the group level:

  1. Log in to AWS Console using your credentials.

  2. Navigate to the AWS IAM service.

  3. Click on Users from the left-side navigation bar, and select your desired IAM user from the list.

  4. Select the Permissions tab and review if any user has any policy attached to them.

  5. If you find any user with an IAM policy attached, select the checkbox next to the policy and click Remove to detach the policy from the user.

  6. You can attach the removed policy to a new user group if required: Note: Creating a new user group to attach IAM policies is not mandatory. If your workflow is fulfilled by an existing user group, you can attach the policy to that user group and ensure the user you have detached the policy from is part of that user group.

    1. Click User groups from the left-side navigation bar.

    2. Click Create group to create a new user group.

    3. Fill and select the following details, and click Create group.

      • Enter a name for the user group

      • Add IAM users

      • Attach permissions policies.

  7. Repeat Steps 3 to 6 for all IAM users. Ensure no user should have any policy attached directly to them.

Sprinto will detect the configuration change and set the related Sprinto check's status to "Passing.”

Contact Sprinto support if you have any queries related to the check or need assistance.

PreviousHow to resolve Sprinto check to ensure that the "Service Account User" and "Service Account Token Creator" roles are not assigned to any IAM user at project levelNextHow to resolve Sprinto check to monitor CPU utilization on Azure Databricks