CloudWiki

Amazon Web Service (AWS)

IAM User

Permissions
An IAM user is an entity that represents a single person or an application associated with permissions and credentials to interact with AWS resources according to permissions policies they are associated with.
aws_iam_user
IAM User
attributes:
  • name - (Required) The user's name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-_.. User names are not distinguished by case. For example, you cannot create users named both "TESTUSER" and "testuser".
  • path - (Optional, default "/") Path in which to create the user.
  • permissions_boundary - (Optional) The ARN of the policy that is used to set the permissions boundary for the user.
  • force_destroy - (Optional, default false) When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile or MFA devices. Without force_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed.
  • tags - Key-value map of tags for the IAM user. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Associating resources with a
IAM User
Resources do not "belong" to a
IAM User
Rather, one or more Security Groups are associated to a resource.
Create
IAM User
via Terraform:
The following HCL creates an IAM user
Syntax:

resource "aws_iam_user" "lb" {
 name = "loadbalancer"
 path = "/system/"

 tags = {
   tag-key = "tag-value"
 }
}

resource "aws_iam_access_key" "lb" {
 user = aws_iam_user.lb.name
}

resource "aws_iam_user_policy" "lb_ro" {
 name = "test"
 user = aws_iam_user.lb.name

 policy = <<EOF
{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Action": [
       "ec2:Describe*"
     ],
     "Effect": "Allow",
     "Resource": "*"
   }
 ]
}
EOF
}

Create
IAM User
via CLI:
Parametres:

create-user
[--path <value>]
--user-name <value>
[--permissions-boundary <value>]
[--tags <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws iam create-user --user-name Bob

Best Practices for
IAM User

Categorized by Availability, Security & Compliance and Cost

Info
Access allowed from VPN
No items found.
Info
Auto Scaling Group not in use
No items found.
Info
Cross peering connectivity is allowed by EC2
Info
Cross peering connectivity is allowed by ECS Task
Info
Cross peering connectivity is allowed by Lambda
Info
Cross peering connectivity is allowed by Pod
Warning
DynamoDB tables not in use
Warning
ECS cluster delete alarm
No items found.
Warning
ElastiCache cluster delete alarm
No items found.
Warning
Ensure AWS EKS cluster has secrets encryption enabled
Warning
Ensure Application Load Balancers (ALB) are configured to drop HTTP headers
Warning
Ensure CloudFront distribution enforce HTTPS protocol for data in-transit
Warning
Ensure CloudFront distributions use a security policy with minimum TLSv1.1 or TLSv1.2
Warning
Ensure CloudFront has WAF attached
Warning
Ensure ECS task definition has memory limit
No items found.
Critical
Ensure ElastiCache Redis clusters are encrypted at-rest
Critical
Ensure ElastiCache Redis clusters are encrypted in-transit
Info
Ensure ElastiCache Redis clusters have automatic backup turned on
No items found.
Warning
Ensure IAM Group has no inline policy
Warning
Ensure IAM User has no inline policy
Warning
Ensure IAM users are members of at least one IAM group
Warning
Ensure IAM users receive permissions only through groups
Warning
Ensure Kubernetes API servers are not publicly accessible
Critical
Ensure RDS database instances are not accessible via Internet (Network and API)
Warning
Ensure RDS database instances are not publicly accessible
Critical
Ensure all IAM users with console access have MFA enabled
Warning
Ensure communication between CloudFront distributions and their origins is encrypted using HTTPS
Warning
Ensure internet exposed ALBs have WAF attached
No items found.
Warning
Ensure that Cloudfront distribution is not using insecure SSL protocols
Warning
Ensure that EKS security groups are configured to allow incoming traffic only on TCP port 443
Warning
Ensure there are no Auto Scaling Groups with suspended processes
No items found.
Critical
Ensure there is no unrestricted inbound access to all TCP ports
Warning
IAM Group inline policy is over permissive
Critical
IAM User with Admin access (*:*)
Critical
IAM User with Admin access (*:*)
Warning
IAM User with high privileged policies
No items found.
Critical
IAM User with inline Admin access (*:*)
Critical
IAM user can execute a Privilege Escalation by using inline AssumeRole
Critical
IAM user can execute a Privilege Escalation by using inline AttachRolePolicy
No items found.
Critical
IAM user can execute a Privilege Escalation by using inline AttachUserPolicy
No items found.
Critical
IAM user can execute a Privilege Escalation by using inline CreatePolicyVersion
No items found.
Critical
IAM user can execute a Privilege Escalation by using inline PassRole
Critical
IAM user can execute a Privilege Escalation by using inline UpdateLoginProfile
No items found.
Warning
IAM user inline policy is over permissive
Warning
New IAM user is created
No items found.
Critical
Pod is internet facing (via ALB) and does not have CPU/MEM limits
No items found.
Critical
Pod is internet facing (via ELB) and does not have CPU/MEM limits
No items found.
Critical
Pod is internet facing (via NLB) and does not have CPU/MEM limits
No items found.
Critical
SNS inline policy is over permissive
Warning
SQS inline policy is over permissive
Warning
VPC endpoint is publicly accessible
Explore all the rules our platform covers
All Resources