CloudWiki
Rules
Medium

New IAM user is created

Security & Compliance
No items found.
Description

A New IAM user created alert is a security rule that generates an alert when a new IAM user is created in an AWS account. This alert is designed to help organizations monitor and track the creation of new IAM user accounts and to ensure that only authorized users are granted access to AWS resources. The alert can be set up to send notifications to the appropriate personnel or team, allowing them to review and validate the new user. This helps ensure that the new account is legitimate and that the user has a valid business justification for accessing AWS resources. This alert can help to better manage organization's IAM users, reduce the risk of unauthorized access, and ensure compliance with security policies and regulations.‍

Remediation

If an organization receives an alert that a new IAM user account has been created, here are some recommended remediation steps:

  1. Validate the User: Confirm that the user account is legitimate and that the user has a valid business justification for accessing AWS resources. This can be done by reaching out to the user and requesting additional information about their role and responsibilities.
  2. Review Access: Review the permissions granted to the new user account and ensure that they are appropriate for the user's role and responsibilities. Remove any unnecessary permissions and limit access to only what is needed to perform their job duties.
  3. Enable MFA: Enforce Multi-Factor Authentication (MFA) for the new user account to add an additional layer of security and reduce the risk of unauthorized access.
  4. Monitor User Activity: Set up monitoring and logging for the new user account to track their activity and identify any suspicious or unauthorized behavior.
  5. Review IAM Policies: Review and update the IAM policies and procedures to ensure that they are effective in mitigating potential security risks and to prevent the creation of unnecessary IAM user accounts.

By taking these remediation steps, organizations can help ensure that new IAM user accounts are created securely and that only authorized users have access to AWS resources. It is also important to regularly review and update security policies and procedures to ensure that they remain effective in mitigating potential security risks.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.