aws-iam-policy-on-users

Ensure IAM policies are attached only to groups or roles

Following this best practice reduces access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.

Examples

Insecure Example

Terraform

resource "aws_iam_user" "user" {
  name = "test-user"
}

resource "aws_iam_policy" "policy" {
  name        = "test-policy"
  description = "A test policy"
  policy      = "{ ... policy JSON ... }"
}

resource "aws_iam_user_policy_attachment" "test-attach" {
  user       = aws_iam_user.user.name
  policy_arn = aws_iam_policy.policy.arn
}

CloudFormation

Type: 'AWS::IAM::Policy'
Properties:
  PolicyName: SpecifcUserPolicy
  PolicyDocument:
    Version: "2012-10-17"
    Statement:
      - Effect: Allow
        Action:
          - 'cloudformation:Describe*'
          - 'cloudformation:List*'
          - 'cloudformation:Get*'
        Resource: '*'
  Users:
    - !Ref SpecificUser

Secure Example

Terraform

resource "aws_iam_role" "role" {
  name = "test-role"
}

resource "aws_iam_policy" "policy" {
  name        = "test-policy"
  description = "A test policy"
  policy      = "{ ... policy JSON ... }"
}

resource "aws_iam_policy_attachment" "test" {
  name       = "test"
  # users      = [aws_iam_user.user.name] -> Avoid this
  roles      = [aws_iam_role.role.name]
  policy_arn = aws_iam_policy.policy.arn
}

CloudFormation

Type: 'AWS::IAM::Policy'
Properties:
  PolicyName: SpecifcGroupPolicy
  PolicyDocument:
    Version: "2012-10-17"
    Statement:
      - Effect: Allow
        Action:
          - 'cloudformation:Describe*'
          - 'cloudformation:List*'
          - 'cloudformation:Get*'
        Resource: '*'
  Groups:
    - !Ref SpecificGroup

More information

• AWS Docs
• Terraform Docs
• Cloudformation Docs