Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

new IAM users showed up

0

I am seeing some new users in my iam user listing (cryptic names). There is a description "AWS Managed Job Function" Directly and it does not have console access. Is this created by an automated service - I am not aware of why they would be there. I have several acconts like this all created I am in contact with account owner and asking them to enable 2fa on root account as they insist on using a very long password.

One has console access and indicates it was recently used. Shoudl I just delete them all?

  • Agnes Olorundare
    2 years ago

    I think that if they can't be accounted for, then it's okay to delete them. But first, you need to check the IAM role attached to the users and be sure of what they are.

    In addition, it's very critical to enable MFA on all accounts, - root or other IAM users.

    Best practise is to avoid using root account after creating an AWS account. Only use the root account to create an IAM user that will serve as anadmin having most accesses, then just stay away from the root account. You can then use the IAM users account with admin access to create other users, giving them just the permission they need.

    It's also best to use IAM groups and add the users you create to them. Attach policies to the groups and not directly to the users.

    If you operate several account, you can ensure compliance to these security best practices by using AWS organizations to group your account and set rules to enforce best practises e.t.c

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access Management
Language
English
asked 2 years ago292 views
1 Answer
0

Hello.

Before deleting it, I think it's a good idea to check CloudTrail etc. to see what operations the IAM user was performing.
You can check the AWS services that the IAM user was operating in the CloudTrail event history.
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-console.html

You can delete it immediately, but why not attach the IAM policy described in the document below to the user and temporarily prevent them from doing anything?
I think you can disable it and delete it if there are no problems with the application or system.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_manage.html#id_users_deactivating

EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago
  • lou_directfile
    2 years ago

    An auto generated ID w/passw and console access, policy based on access to all resources for (is this normal) these are excerpts to make it fit "cloudtrail:GetTrail", "iam:GenerateServiceLastAccessedDetails", "iam:GetServiceLastAccessedDetails" action "s3:GetObject", "s3:ListBucket"

                "arn:aws:s3:::{{cloudtrail-bucket}}",
            "arn:aws:s3:::{{cloudtrail-bucket}}/*"
            "kms:Decrypt"

    "arn:aws:kms:{{region}}:{{account}}:key/{{key}}" "Condition": { "StringLike": { "kms:ViaService": "s3.*.amazonaws.com"

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content