Ensure all IAM users are members of at least one IAM group

Error: Not all IAM users are members of at least one IAM group

Bridgecrew Policy ID: BC_AWS_IAM_62
Checkov Check ID: CKV2_AWS_21
Severity: LOW

Not all IAM users are members of at least one IAM group

Description

It is generally a best practice to assign all IAM users to at least one IAM group. This can help to ensure that each user has the necessary permissions to perform their tasks and responsibilities.

By assigning users to groups, you can more easily manage the permissions for those users. For example, if you need to change the permissions for a group of users, you can simply update the group's policy rather than updating the policies for each individual user.

Fix - Buildtime

Terraform

  • Resource: aws_iam_group_membership, aws_iam_group, aws_iam_user
  • Argument: users and group of aws_iam_group_membership
resource "aws_iam_group_membership" "ok_group" {
  name = "tf-testing-group-membership"

  users = [
    aws_iam_user.user_good.name,
  ]

  group = aws_iam_group.group.name
}

resource "aws_iam_group" "group" {
  name = "test-group"
}

resource "aws_iam_user" "user_good" {
  name = "test-user"
}