Ensure IAM policies are only attached to Groups and Roles

Error: IAM policies are not only attached to Groups and Roles

Bridgecrew Policy ID: BC_AWS_IAM_16
Checkov Check ID: CKV_AWS_40
Bridgecrew Severity: LOW
Prisma Cloud Severity: LOW

IAM policies are not only attached to Groups and Roles

Description

By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles.

Assigning privileges at the group or role level reduces the complexity of access management as the number of users increase. Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.

We recommend that IAM policies are applied directly to groups and roles, but not to users.

Fix - Buildtime

CloudFormation

  • Resource: AWS::IAM::Policy
  • Arguments: Properties.Users
Resources:
  ExamplePolicy:
    Type: 'AWS::IAM::Policy'
    Properties:
      ...
-     Users:
-       - example_user