Compliance Frameworks
BETA// Beta Mapping Disclaimer
Framework mappings are currently in beta. These references are generated based on technical specifications and common industry alignments. Mappings may be incomplete or inaccurate; always consult with a qualified auditor for official compliance validation.
Overview
Prevent the creation of IAM users in central landing zone accounts (Management, Log Archive, Audit, Security, Network) to enforce exclusive use of IAM Identity Center for human access and IAM roles for service access.
This control is the account-scoped enforcement complement to AWS-IAM-004, which defines the SCP and the organization-wide identity strategy. The SCP that denies iam:CreateUser, iam:CreateLoginProfile, iam:CreateAccessKey, and iam:UpdateLoginProfile is defined in AWS-IAM-004 and applied at the central accounts OU. This control adds the detective layer: scanning central accounts for any IAM user other than the documented break-glass user (AWS-IAM-008) and treating any additional user as a violation. The only permitted IAM user in any central account is the break-glass user in the Management account.
IAM users carry long-lived credentials that persist until manually rotated, cannot be centrally revoked by removing an IdP group assignment, and do not benefit from Identity Center's session duration limits or centralized MFA enforcement. Central landing zone accounts are the highest-value targets in the organization - credential sprawl in these accounts is disproportionately risky compared to workload accounts.
Remediation Strategy
Inventory all IAM users in central accounts. Migrate each to an Identity Center group assignment. Confirm the SCP from AWS-IAM-004 is attached to the central accounts OU. Delete all non-break-glass IAM users.
Run the detection query below against each central account to list all IAM users.
For each user found (excluding break-glass), identify the owner and migrate access to an IAM Identity Center group assignment.
Delete the IAM user's login profile, access keys, and then the user itself once migrated.
Confirm the SCP from AWS-IAM-004 enforcement_reference is attached to the central accounts OU.
# List all IAM users - any user other than 'break-glass' is a violation
aws iam list-users \
--query "Users[?UserName!='break-glass'].{Name:UserName,Created:CreateDate,LastUsed:PasswordLastUsed}" \
--output table
# Remove a non-compliant user (run per identified user)
USER="example-user"
aws iam delete-login-profile --user-name "${USER}" 2>/dev/null
aws iam list-access-keys --user-name "${USER}" \
--query "AccessKeyMetadata[*].AccessKeyId" --output text | \
tr '\t' '\n' | xargs -I{} aws iam delete-access-key \
--user-name "${USER}" --access-key-id {}
aws iam detach-user-policy --user-name "${USER}" \
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess 2>/dev/null
aws iam delete-user --user-name "${USER}"The break-glass IAM user in the Management account (AWS-IAM-008) is the only permitted IAM user in any central account. Detection queries must explicitly exclude UserName='break-glass' from violation findings.
The SCP enforcing this control lives in AWS-IAM-004 and must be applied before this control is considered fully enforced. This control contributes only the detective and remediation layers. The user deletion script removes login profiles, access keys, and attached policies before deleting the user - skipping any of these steps will cause the delete-user call to fail with a DeleteConflict error. Run the audit against each central account separately by switching profiles or using aws sts assume-role before each invocation.