Event Information

  • The CreateUser event in AWS for IAM refers to the action of creating a new user in the Identity and Access Management (IAM) service.
  • This event signifies the initiation of a new user account creation process within the AWS account.
  • The CreateUser event is typically triggered when an administrator or a user with appropriate permissions executes the necessary API or CLI command to create a new IAM user.

Examples

  • Weak password policy: If the CreateUser operation in AWS IAM allows users to set weak passwords without enforcing any complexity requirements, it can lead to security vulnerabilities. Attackers may easily guess or brute-force weak passwords, compromising the security of user accounts.

  • Lack of multi-factor authentication (MFA): If the CreateUser operation does not enforce the use of MFA for IAM users, it increases the risk of unauthorized access. MFA adds an extra layer of security by requiring users to provide an additional authentication factor, such as a one-time password generated by a mobile app or a hardware token.

  • Insufficient permissions management: If the CreateUser operation allows users to create IAM users with excessive permissions, it can lead to privilege escalation and unauthorized access to sensitive resources. It is important to ensure that users are granted only the necessary permissions based on the principle of least privilege.

Remediation

Using Console

  1. Example 1: Enforce strong password policy for IAM users

    • Step 1: Login to the AWS Management Console.
    • Step 2: Go to the IAM service.
    • Step 3: Click on “Account settings” in the left navigation pane.
    • Step 4: Under the “Password policy” section, click on “Edit”.
    • Step 5: Configure the password policy settings according to your requirements, such as minimum password length, password complexity requirements, and password expiration.
    • Step 6: Click on “Apply password policy” to save the changes.

  2. Example 2: Enable multi-factor authentication (MFA) for IAM users

    • Step 1: Login to the AWS Management Console.
    • Step 2: Go to the IAM service.
    • Step 3: Click on “Users” in the left navigation pane.
    • Step 4: Select the IAM user for which you want to enable MFA.
    • Step 5: Click on the “Security credentials” tab.
    • Step 6: Under the “Multi-factor authentication (MFA)” section, click on “Manage MFA”.
    • Step 7: Follow the on-screen instructions to set up MFA for the user, either by using a virtual MFA device or a hardware MFA device.

  3. Example 3: Enable AWS CloudTrail for logging IAM events

    • Step 1: Login to the AWS Management Console.
    • Step 2: Go to the CloudTrail service.
    • Step 3: Click on “Trails” in the left navigation pane.
    • Step 4: Click on “Create trail”.
    • Step 5: Provide a name for the trail and choose the S3 bucket where the CloudTrail logs will be stored.
    • Step 6: Under the “Management events” section, enable logging for IAM events.
    • Step 7: Configure any additional settings as required, such as log file encryption and log file validation.
    • Step 8: Click on “Create” to create the trail and start logging IAM events.

Using CLI

  1. Ensure IAM users have strong passwords:

    • Use the update-login-profile command to set a strong password for an IAM user: 
      aws iam update-login-profile --user-name <IAM_USER_NAME> --password <NEW_PASSWORD> --password-reset-required

  2. Enable multi-factor authentication (MFA) for IAM users:

    • Use the enable-mfa-device command to enable MFA for an IAM user: 
      aws iam enable-mfa-device --user-name <IAM_USER_NAME> --serial-number <MFA_DEVICE_SERIAL_NUMBER> --authentication-code1 <CODE1> --authentication-code2 <CODE2>

  3. Remove unnecessary IAM access keys:

    • Use the delete-access-key command to delete an IAM access key: 
      aws iam delete-access-key --user-name <IAM_USER_NAME> --access-key-id <ACCESS_KEY_ID>

Using Python

  1. Ensure IAM users have strong passwords:
    • Use the boto3 library in Python to retrieve a list of IAM users.
    • For each user, check if their password policy meets the desired criteria (e.g., minimum length, complexity requirements).
    • If a user’s password policy does not meet the criteria, use the update_account_password_policy method to update the policy accordingly.
import boto3

iam_client = boto3.client('iam')

def update_password_policy():
    response = iam_client.get_account_password_policy()
    password_policy = response['PasswordPolicy']
    
    # Check if password policy meets desired criteria
    if password_policy['MinimumPasswordLength'] < 8:
        password_policy['MinimumPasswordLength'] = 8
    
    # Update password policy
    iam_client.update_account_password_policy(**password_policy)
  1. Monitor and log IAM user activities:
    • Use the boto3 library in Python to enable CloudTrail for the AWS account.
    • Create a CloudTrail trail and specify the desired settings, such as the S3 bucket to store the logs.
    • Enable logging for IAM events by configuring the trail to capture IAM-related events.
    • Use the start_logging method to start logging IAM events.
import boto3

cloudtrail_client = boto3.client('cloudtrail')

def enable_cloudtrail_logging():
    response = cloudtrail_client.create_trail(
        Name='MyCloudTrail',
        S3BucketName='my-cloudtrail-bucket',
        IsMultiRegionTrail=True,
        IncludeGlobalServiceEvents=True
    )
    
    # Configure trail to capture IAM events
    cloudtrail_client.update_trail(
        Name='MyCloudTrail',
        IncludeGlobalServiceEvents=True,
        ReadWriteType='All',
        EventSelectors=[
            {
                'ReadWriteType': 'All',
                'IncludeManagementEvents': True,
                'DataResources': [
                    {
                        'Type': 'AWS::IAM::User'
                    }
                ]
            }
        ]
    )
    
    # Start logging IAM events
    cloudtrail_client.start_logging(Name='MyCloudTrail')
  1. Regularly rotate access keys for IAM users:
    • Use the boto3 library in Python to retrieve a list of IAM users.
    • For each user, use the list_access_keys method to retrieve their access keys.
    • Generate new access keys for each user using the create_access_key method.
    • Use the update_access_key method to deactivate the old access keys and activate the new ones.
import boto3

iam_client = boto3.client('iam')

def rotate_access_keys():
    response = iam_client.list_users()
    users = response['Users']
    
    for user in users:
        response = iam_client.list_access_keys(UserName=user['UserName'])
        access_keys = response['AccessKeyMetadata']
        
        for access_key in access_keys:
            # Generate new access key
            new_access_key = iam_client.create_access_key(UserName=user['UserName'])
            
            # Deactivate old access key
            iam_client.update_access_key(
                UserName=user['UserName'],
                AccessKeyId=access_key['AccessKeyId'],
                Status='Inactive'
            )
            
            # Activate new access key
            iam_client.update_access_key(
                UserName=user['UserName'],
                AccessKeyId=new_access_key['AccessKey']['AccessKeyId'],
                Status='Active'
            )