aws-iam-policy-on-users¶
Ensure IAM policies are attached only to groups or roles
Following this best practice reduces access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.
Examples¶
Insecure Example
resource "aws_iam_user" "user" {
name = "test-user"
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = "{ ... policy JSON ... }"
}
resource "aws_iam_user_policy_attachment" "test-attach" {
user = aws_iam_user.user.name
policy_arn = aws_iam_policy.policy.arn
}
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: SpecifcUserPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- 'cloudformation:Describe*'
- 'cloudformation:List*'
- 'cloudformation:Get*'
Resource: '*'
Users:
- !Ref SpecificUser
Secure Example
resource "aws_iam_role" "role" {
name = "test-role"
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = "{ ... policy JSON ... }"
}
resource "aws_iam_policy_attachment" "test" {
name = "test"
# users = [aws_iam_user.user.name] -> Avoid this
roles = [aws_iam_role.role.name]
policy_arn = aws_iam_policy.policy.arn
}
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: SpecifcGroupPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- 'cloudformation:Describe*'
- 'cloudformation:List*'
- 'cloudformation:Get*'
Resource: '*'
Groups:
- !Ref SpecificGroup