The Admin User Group Only Contains the Root User
Rule Details
|
Parameter |
Description |
|---|---|
|
Rule Name |
iam-user-check-non-admin-group |
|
Identifier |
iam-user-check-non-admin-group |
|
Description |
If a non-root user was added to the admin user group, this user is noncompliant. |
|
Tag |
iam |
|
Trigger Type |
Configuration change |
|
Filter Type |
iam.users |
|
Configure Rule Parameters |
None |
Applicable Scenario
The admin user group is a default user group and has full permissions for all cloud resources in an account. It is insecure if non-root users are added to the admin user group or share the same enterprise administrator account. You can add IAM users to related user groups and attach only the necessary permissions to the user groups, so that related personnel or applications can access only the required cloud resources to complete their tasks.
Solution
You can delete non-root users from the admin user group. For more details, see Adding Users to or Removing Users from a User Group.
Rule Logic
- If an IAM user is the root user, this user is compliant.
- If an IAM user is disabled, this user is compliant.
- If a non-root IAM user in the enabled state was added to the admin user group, this user is noncompliant.
- If a non-root IAM user in the enabled state is not in the admin user group, this user is compliant.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
