> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS Account Should Have A Minimum Number of Admins

### More Info:

Your AWS account should have minimum number of admins

### Risk Level

Medium

### Address

Security

### Compliance Standards

CBP

### Triage and Remediation

<Tabs>
  <Tab title="Prevention">
    ### How to Prevent

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To prevent having fewer than the minimum number of administrators in AWS IAM using the AWS Management Console, follow these steps:

        1. **Access IAM Dashboard:**
           * Sign in to the AWS Management Console.
           * Navigate to the IAM (Identity and Access Management) service by searching for "IAM" in the search bar and selecting it.

        2. **Review IAM Users:**
           * In the IAM Dashboard, click on "Users" in the left-hand navigation pane.
           * Review the list of users to identify those with administrative privileges. Look for users with the `AdministratorAccess` policy attached.

        3. **Check Group Memberships:**
           * Click on "Groups" in the left-hand navigation pane.
           * Review the groups to see if any have the `AdministratorAccess` policy attached.
           * Ensure that there are enough users in these groups to meet your minimum requirement for administrators.

        4. **Add Additional Admins if Necessary:**
           * If you find that you do not have the minimum number of administrators, you can add more users with administrative privileges.
           * Click on "Add user" in the IAM Dashboard.
           * Follow the prompts to create a new user and attach the `AdministratorAccess` policy to their account.

        By following these steps, you can ensure that your AWS account maintains the minimum number of administrators required for proper management and security.
      </Accordion>

      <Accordion title="Using CLI">
        To prevent having fewer than the minimum required number of IAM administrators in an AWS account using the AWS CLI, you can follow these steps:

        1. **List Current IAM Users with Admin Access:**
           Use the following command to list all IAM users and their attached policies. This helps identify users with administrative privileges.
           ```sh theme={null}
           aws iam list-users
           ```

        2. **Check Attached Policies for Admin Access:**
           For each user, check their attached policies to see if they have administrative access. The following command lists the policies attached to a specific user:
           ```sh theme={null}
           aws iam list-attached-user-policies --user-name <user-name>
           ```
           Look for policies like `AdministratorAccess`.

        3. **Create New IAM Admin User (if needed):**
           If you find that the number of admin users is below the required minimum, create a new IAM user and attach the `AdministratorAccess` policy. First, create the user:
           ```sh theme={null}
           aws iam create-user --user-name <new-admin-user>
           ```
           Then attach the `AdministratorAccess` policy:
           ```sh theme={null}
           aws iam attach-user-policy --user-name <new-admin-user> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
           ```

        4. **Automate Monitoring with a Script:**
           To ensure continuous compliance, you can write a script that periodically checks the number of admin users and alerts you if it falls below the minimum threshold. Here is a simple example in Python:
           ```python theme={null}
           import boto3

           def check_admin_users(min_admins=2):
               iam = boto3.client('iam')
               users = iam.list_users()['Users']
               admin_count = 0

               for user in users:
                   policies = iam.list_attached_user_policies(UserName=user['UserName'])['AttachedPolicies']
                   for policy in policies:
                       if policy['PolicyArn'] == 'arn:aws:iam::aws:policy/AdministratorAccess':
                           admin_count += 1
                           break

               if admin_count < min_admins:
                   print(f"Warning: Only {admin_count} admin users found. Minimum required is {min_admins}.")

           check_admin_users()
           ```

        By following these steps, you can ensure that your AWS account maintains the required minimum number of IAM administrators.
      </Accordion>

      <Accordion title="Using Python">
        To prevent having fewer than the minimum required number of administrators in AWS IAM using Python scripts, you can follow these steps:

        1. **Set Up AWS SDK for Python (Boto3):**
           * Ensure you have Boto3 installed. If not, install it using pip:
             ```bash theme={null}
             pip install boto3
             ```

        2. **Define the Minimum Number of Admins:**
           * Set a variable to define the minimum number of administrators required in your AWS account.

        3. **List IAM Users and Check for Admins:**
           * Use Boto3 to list all IAM users and check their attached policies to determine if they have administrative privileges.

        4. **Automate the Monitoring and Notification:**
           * Create a script that runs periodically to check the number of admins and sends a notification if the number falls below the minimum threshold.

        Here is a sample Python script to achieve this:

        ```python theme={null}
        import boto3
        from botocore.exceptions import NoCredentialsError, PartialCredentialsError

        # Define the minimum number of admins required
        MIN_ADMINS = 2

        def get_iam_users():
            try:
                iam_client = boto3.client('iam')
                paginator = iam_client.get_paginator('list_users')
                users = []
                for response in paginator.paginate():
                    users.extend(response['Users'])
                return users
            except (NoCredentialsError, PartialCredentialsError) as e:
                print(f"Error: {e}")
                return []

        def is_admin(user_name):
            try:
                iam_client = boto3.client('iam')
                attached_policies = iam_client.list_attached_user_policies(UserName=user_name)['AttachedPolicies']
                for policy in attached_policies:
                    if policy['PolicyName'] == 'AdministratorAccess':
                        return True
                return False
            except Exception as e:
                print(f"Error checking admin status for {user_name}: {e}")
                return False

        def check_admins():
            users = get_iam_users()
            admin_count = 0
            for user in users:
                if is_admin(user['UserName']):
                    admin_count += 1
            return admin_count

        def main():
            admin_count = check_admins()
            if admin_count < MIN_ADMINS:
                print(f"Warning: The number of admins ({admin_count}) is below the minimum required ({MIN_ADMINS}).")
                # Here you can add code to send a notification (e.g., email, SNS, etc.)

        if __name__ == "__main__":
            main()
        ```

        ### Explanation:

        1. **Set Up AWS SDK for Python (Boto3):**
           * The script starts by importing the necessary libraries and setting up the Boto3 client to interact with AWS IAM.

        2. **Define the Minimum Number of Admins:**
           * The `MIN_ADMINS` variable is set to the minimum number of administrators required.

        3. **List IAM Users and Check for Admins:**
           * The `get_iam_users` function retrieves all IAM users.
           * The `is_admin` function checks if a user has the `AdministratorAccess` policy attached.
           * The `check_admins` function counts the number of users with administrative privileges.

        4. **Automate the Monitoring and Notification:**
           * The `main` function checks the number of admins and prints a warning if the count is below the minimum required. You can extend this function to send notifications via email, SNS, or other methods.

        By running this script periodically (e.g., as a scheduled Lambda function or a cron job), you can ensure that your AWS account always has the required minimum number of administrators.
      </Accordion>
    </AccordionGroup>
  </Tab>

  <Tab title="Cause">
    ### Check Cause

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

        2. In the navigation pane, choose "Users". This will display a list of all IAM users that are currently set up for your AWS account.

        3. For each user, check the "Permissions" tab to see what policies are attached to the user. Look for policies that grant administrator privileges, such as "AdministratorAccess".

        4. Count the number of users with administrator privileges. If the number is less than the minimum number of admins you have set as a standard for your organization, then it is a misconfiguration.
      </Accordion>

      <Accordion title="Using CLI">
        1. Install and configure AWS CLI: Before you can start using AWS CLI, you need to install it on your local machine and configure it with your AWS account credentials. You can do this by running the following commands:

           Installation:

           ```
           pip install awscli
           ```

           Configuration:

           ```
           aws configure
           ```

           You will be prompted to provide your AWS Access Key ID, Secret Access Key, Default region name, and Default output format.

        2. List IAM Users: Once AWS CLI is set up, you can list all the IAM users in your AWS account by running the following command:
           ```
           aws iam list-users
           ```
           This command will return a list of all IAM users along with their details.

        3. List IAM Policies: For each user, you can list the policies attached to them. This can be done using the following command:
           ```
           aws iam list-user-policies --user-name <username>
           ```
           Replace `<username>` with the name of the user. This command will return a list of all policy names attached to the specified user.

        4. Check for Admin Policies: Finally, you can check if the user has 'AdministratorAccess' policy attached. This policy provides full access to AWS services and resources. If the number of users with this policy is less than the minimum required, it indicates a misconfiguration. You can do this by checking if 'AdministratorAccess' is present in the list of policies returned in the previous step.
      </Accordion>

      <Accordion title="Using Python">
        1. Install the necessary AWS SDK for Python (Boto3) if you haven't done so already. You can install it using pip:

        ```python theme={null}
        pip install boto3
        ```

        2. Import the necessary modules and create a session using your AWS credentials:

        ```python theme={null}
        import boto3

        session = boto3.Session(
            aws_access_key_id='YOUR_ACCESS_KEY',
            aws_secret_access_key='YOUR_SECRET_KEY',
            region_name='YOUR_REGION'
        )
        ```

        3. Use the IAM client from Boto3 to list all the IAM users in your AWS account:

        ```python theme={null}
        iam = session.client('iam')

        users = iam.list_users()['Users']
        ```

        4. Iterate over the users and check their policies. If a user has the 'AdministratorAccess' policy, increment a counter. If the counter is less than the minimum number of admins you want, raise an alert:

        ```python theme={null}
        admin_count = 0
        for user in users:
            policies = iam.list_attached_user_policies(UserName=user['UserName'])['AttachedPolicies']
            for policy in policies:
                if policy['PolicyName'] == 'AdministratorAccess':
                    admin_count += 1

        if admin_count < MIN_ADMINS:
            print(f'Alert: Only {admin_count} admins in the account. Minimum required is {MIN_ADMINS}.')
        ```

        Replace 'YOUR\_ACCESS\_KEY', 'YOUR\_SECRET\_KEY', 'YOUR\_REGION', and 'MIN\_ADMINS' with your actual AWS access key, secret key, region, and the minimum number of admins you want in your AWS account, respectively.
      </Accordion>
    </AccordionGroup>
  </Tab>

  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        Step-by-step instructions to remediate the AWS misconfiguration of having a minimum number of admins:

        1. Log in to your AWS console with your credentials.
        2. Navigate to the "IAM" (Identity and Access Management) service from the AWS console dashboard.
        3. Click on the "Users" option from the left-hand side menu.
        4. Identify the users who have been assigned the "AdministratorAccess" policy. These users have full access to your AWS account and should be limited to a minimum number.
        5. Remove the "AdministratorAccess" policy from any user who does not require full access to the AWS account. To do this, select the user and click on the "Permissions" tab. Then click on the "Detach Policy" button next to the "AdministratorAccess" policy.
        6. Create a new IAM group with the necessary permissions for users who require access to the AWS account. To create a new group, click on the "Groups" option from the left-hand side menu and then click on the "Create New Group" button. Give the group a name and attach the necessary policies.
        7. Add the required users to the new group. To do this, select the group and click on the "Add Users to Group" button. Select the users you want to add and click on the "Add Users" button.
        8. Ensure that you have a minimum number of users assigned the "AdministratorAccess" policy. This number will depend on your organization's security policies and requirements.

        By following these steps, you can remediate the AWS misconfiguration of having a minimum number of admins.

        #
      </Accordion>

      <Accordion title="Using CLI">
        The misconfiguration in this case is that there are too many AWS Admins in the account. To remediate this issue, follow these steps using AWS CLI:

        1. Identify the number of AWS Admins in your account by running the following command:

           ```
           aws iam list-users --query 'Users[?contains(PermissionsBoundary.PermissionsBoundaryType, `PermissionsBoundary`) && contains(PermissionsBoundary.PermissionsBoundaryArn, `arn:aws:iam::aws:policy/AdministratorAccess`)].UserName' --output text | wc -l
           ```

        2. Set the maximum number of AWS Admins that should be allowed in your account. For example, if you want to limit the number of AWS Admins to 5, set the maximum number to 5.

        3. Identify the AWS Admin users who should be removed from the account by running the following command:

           ```
           aws iam list-users --query 'Users[?contains(PermissionsBoundary.PermissionsBoundaryType, `PermissionsBoundary`) && contains(PermissionsBoundary.PermissionsBoundaryArn, `arn:aws:iam::aws:policy/AdministratorAccess`)].UserName' --output text | head -n $(($(aws iam list-users --query 'length(Users[?contains(PermissionsBoundary.PermissionsBoundaryType, `PermissionsBoundary`) && contains(PermissionsBoundary.PermissionsBoundaryArn, `arn:aws:iam::aws:policy/AdministratorAccess`)].UserName)' --output text)-5)) | xargs -I {} aws iam detach-user-policy --user-name {} --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
           ```

           This command lists all the AWS Admin users who have the `AdministratorAccess` policy attached to them and removes the `AdministratorAccess` policy from the users who exceed the maximum number of allowed AWS Admins.

        4. Verify that the number of AWS Admins has been reduced to the maximum allowed by running the command in step 1 again.

        By following these steps, you can remediate the misconfiguration of having too many AWS Admins in your account.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the AWS misconfiguration of having a minimum number of admins, you can use the following steps in Python:

        1. First, you need to determine the number of admins in your AWS account. You can use the AWS SDK for Python (boto3) to retrieve the list of IAM users with the "AdministratorAccess" policy attached to their account.

        ```
        import boto3

        client = boto3.client('iam')

        admins = []

        response = client.list_users()

        for user in response['Users']:
            user_policies = client.list_attached_user_policies(UserName=user['UserName'])
            for policy in user_policies['AttachedPolicies']:
                if policy['PolicyName'] == 'AdministratorAccess':
                    admins.append(user['UserName'])
        ```

        2. Once you have the list of admins, you can check if the number of admins meets the minimum requirement. If it does not, you can create a new IAM user with the "AdministratorAccess" policy attached to their account.

        ```
        if len(admins) < MINIMUM_ADMINS:
            new_admin = client.create_user(UserName='new_admin')
            client.attach_user_policy(UserName=new_admin['User']['UserName'], PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess')
        ```

        3. Finally, you can send a notification to the relevant stakeholders informing them of the new admin account and reminding them of the minimum admin requirement.

        ```
        sns = boto3.client('sns')

        message = f"A new admin account has been created for the AWS account. Please ensure that the minimum number of admins ({MINIMUM_ADMINS}) is maintained."
        sns.publish(TopicArn='arn:aws:sns:us-east-1:123456789012:aws-account-notifications', Message=message)
        ```

        Note: Replace `MINIMUM_ADMINS` and `arn:aws:sns:us-east-1:123456789012:aws-account-notifications` with the actual values for your AWS account.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
