Account with minimum admins remediation

Using Console

Using CLI

To prevent having fewer than the minimum required number of IAM administrators in an AWS account using the AWS CLI, you can follow these steps:

List Current IAM Users with Admin Access: Use the following command to list all IAM users and their attached policies. This helps identify users with administrative privileges.
```
aws iam list-users
```
Check Attached Policies for Admin Access: For each user, check their attached policies to see if they have administrative access. The following command lists the policies attached to a specific user:
```
aws iam list-attached-user-policies --user-name <user-name>
```
Look for policies like AdministratorAccess.
Create New IAM Admin User (if needed): If you find that the number of admin users is below the required minimum, create a new IAM user and attach the AdministratorAccess policy. First, create the user:
```
aws iam create-user --user-name <new-admin-user>
```
Then attach the AdministratorAccess policy:
```
aws iam attach-user-policy --user-name <new-admin-user> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
```

Automate Monitoring with a Script: To ensure continuous compliance, you can write a script that periodically checks the number of admin users and alerts you if it falls below the minimum threshold. Here is a simple example in Python:

import boto3

def check_admin_users(min_admins=2):
    iam = boto3.client('iam')
    users = iam.list_users()['Users']
    admin_count = 0

    for user in users:
        policies = iam.list_attached_user_policies(UserName=user['UserName'])['AttachedPolicies']
        for policy in policies:
            if policy['PolicyArn'] == 'arn:aws:iam::aws:policy/AdministratorAccess':
                admin_count += 1
                break

    if admin_count < min_admins:
        print(f"Warning: Only {admin_count} admin users found. Minimum required is {min_admins}.")

check_admin_users()

By following these steps, you can ensure that your AWS account maintains the required minimum number of IAM administrators.

Using Python

To prevent having fewer than the minimum required number of administrators in AWS IAM using Python scripts, you can follow these steps:

Set Up AWS SDK for Python (Boto3):
- Ensure you have Boto3 installed. If not, install it using pip:
  pip install boto3
Define the Minimum Number of Admins:
- Set a variable to define the minimum number of administrators required in your AWS account.
List IAM Users and Check for Admins:
- Use Boto3 to list all IAM users and check their attached policies to determine if they have administrative privileges.
Automate the Monitoring and Notification:
- Create a script that runs periodically to check the number of admins and sends a notification if the number falls below the minimum threshold.

Here is a sample Python script to achieve this:

import boto3
from botocore.exceptions import NoCredentialsError, PartialCredentialsError

# Define the minimum number of admins required
MIN_ADMINS = 2

def get_iam_users():
    try:
        iam_client = boto3.client('iam')
        paginator = iam_client.get_paginator('list_users')
        users = []
        for response in paginator.paginate():
            users.extend(response['Users'])
        return users
    except (NoCredentialsError, PartialCredentialsError) as e:
        print(f"Error: {e}")
        return []

def is_admin(user_name):
    try:
        iam_client = boto3.client('iam')
        attached_policies = iam_client.list_attached_user_policies(UserName=user_name)['AttachedPolicies']
        for policy in attached_policies:
            if policy['PolicyName'] == 'AdministratorAccess':
                return True
        return False
    except Exception as e:
        print(f"Error checking admin status for {user_name}: {e}")
        return False

def check_admins():
    users = get_iam_users()
    admin_count = 0
    for user in users:
        if is_admin(user['UserName']):
            admin_count += 1
    return admin_count

def main():
    admin_count = check_admins()
    if admin_count < MIN_ADMINS:
        print(f"Warning: The number of admins ({admin_count}) is below the minimum required ({MIN_ADMINS}).")
        # Here you can add code to send a notification (e.g., email, SNS, etc.)

if __name__ == "__main__":
    main()

Explanation:

Set Up AWS SDK for Python (Boto3):
- The script starts by importing the necessary libraries and setting up the Boto3 client to interact with AWS IAM.
Define the Minimum Number of Admins:
- The MIN_ADMINS variable is set to the minimum number of administrators required.
List IAM Users and Check for Admins:
- The get_iam_users function retrieves all IAM users.
- The is_admin function checks if a user has the AdministratorAccess policy attached.
- The check_admins function counts the number of users with administrative privileges.
Automate the Monitoring and Notification:
- The main function checks the number of admins and prints a warning if the count is below the minimum required. You can extend this function to send notifications via email, SNS, or other methods.

By running this script periodically (e.g., as a scheduled Lambda function or a cron job), you can ensure that your AWS account always has the required minimum number of administrators.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Account with minimum admins remediation

Triage and Remediation

How to Prevent