Skip to content

IAM policies should not be granted directly to users.

Default Severity: low

Explanation

CIS recommends that you apply IAM policies directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity might in turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.

Possible Impact

Complex access control is difficult to manage and maintain.

Suggested Resolution

Grant policies at the group level instead.

Insecure Example

The following example will fail the aws-iam-no-user-attached-policies check.

resource "aws_iam_user" "jim" {
  name = "jim"
}

resource "aws_iam_user_policy" "ec2policy" {
  name = "test"
  user = aws_iam_user.jim.name

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

Secure Example

The following example will pass the aws-iam-no-user-attached-policies check.

resource "aws_iam_group" "developers" {
  name = "developers"
  path = "/users/"
}

resource "aws_iam_user" "jim" {
  name = "jim"
}

resource "aws_iam_group_membership" "devteam" {
  name = "developers-team"

  users = [
    aws_iam_user.jim.name,
  ]

  group = aws_iam_group.developers.name
}

resource "aws_iam_group_policy" "ec2policy" {
  name = "test"
  group = aws_iam_group.developers.name

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}