AWS-IAM-IAM-User-Admins

Severity : Medium

Description: This control ensures that IAM Group with Administrator permission have more than one administrator user. As best practice it is recommended to create Administrator group with name as Administrator to perform tasks that requires AdministratorAccess permissions and add the users who will have administrator access. It is recommended to have more than one administrator for making sure that someone with right privilege have access to AWS account to resolve an urgent issues

Remediation Steps:

Perform following to create a IAM administrator group and move users from old group :

1. Login to the AWS Management Console at https://console.aws.amazon.com as root user.

2. Navigate to IAM console.

3. In the navigation pane, choose Users and then choose Add user.

4. On Detail page

   1. In the User Name, enter Administrator02.

   2. Select AWS Management Console access, select Custom password, and then enter new password.

   3. Choose Next: Permissions.

5. On Permission page

   1. Choose Add user to group.

   2. Under Add user to group. Select the Administrators group from the list of groups.

   3. In the policy list, select checkbox for AdministratorAccess.

   4. Choose Next: Tags.

6. Choose Next: Review and then choose Create user.

Important:

• If the secondary Administrator permission need to be limited permission, Create a Managed policy with conditional statement for principals to restrict the permissions for action allowed.

Reference:

• https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html

• https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_add-remove-users.html

• https://aws.amazon.com/blogs/security/how-to-create-a-limited-iam-administrator-by-using-managed-policies/