Ensure IAM policies are only attached to Groups and Roles
Error: IAM policies are not only attached to Groups and Roles
Bridgecrew Policy ID: BC_AWS_IAM_16
Checkov Check ID: CKV_AWS_40
Bridgecrew Severity: LOW
Prisma Cloud Severity: LOW
IAM policies are not only attached to Groups and Roles
By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles.
Assigning privileges at the group or role level reduces the complexity of access management as the number of users increase. Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.
We recommend that IAM policies are applied directly to groups and roles, but not to users.
Fix - Buildtime
- Resource: AWS::IAM::Policy
- Arguments: Properties.Users
Resources: ExamplePolicy: Type: 'AWS::IAM::Policy' Properties: ... - Users: - - example_user
Updated 4 months ago