IAM policies should not be attached to users¶
Description¶
Assigning privileges at the group or role level reduces the complexity of access management as the number of users grows. Reducing access management complexity may reduce opportunity for a principal to inadvertently receive or retain excessive privileges.
Remediation Steps¶
AWS Console¶
Navigate to IAM.
In the left navigation, select User groups.
Click the Create group button.
Enter a name for the group and click next.
Select the desired users to add to the group.
From the policy list, select each policy that you want to apply to all members in that group.
Click Create group.
In the left navigation, select Users.
Select a user from the list.
In the Permissions tab, remove any policies that are attached directly to the user.
Repeat the above steps for all users.
AWS CLI¶
To create a new group:
aws iam create-group --group-name <group name>
To attach a policy to the group:
aws iam attach-group-policy --group-name <group name> --policy-arn <ARN>
To add users to the group:
aws iam add-user-to-group --user-name <user name> --group-name <group name>
To detach a managed policy attached to a user:
aws iam detach-user-policy --user-name <user name> --policy-arn <ARN>
To delete an inline policy attached to a user:
aws iam delete-user-policy --user-name <user name> --policy-name <policy name>
CloudFormation¶
JSON¶
Ensure that the CloudFormation template does NOT contain either of the following:
An AWS::IAM::User with a Policies field.
An AWS::IAM::Policy with a Users field.
Instead, declare an IAM policy via one of the following methods:
An AWS::IAM::Group with a Policies field.
An AWS::IAM::Role with a Policies field.
An AWS::IAM::Policy with a Groups or Roles field.
JSON Example Configuration¶
{
"Group01": {
"Type": "AWS::IAM::Group"
},
"ValidPolicy01": {
"Type": "AWS::IAM::Policy",
"Properties": {
"Groups": [
{ "Ref" : "Group01" }
],
"PolicyName": "valid_policy_01",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"ec2:StartInstances"
],
"Resource": [
"*"
]
}
}
}
}
# other required fields here
}
YAML¶
Ensure that the CloudFormation template does NOT contain either of the following:
An AWS::IAM::User with a Policies field.
An AWS::IAM::Policy with a Users field.
Instead, declare an IAM policy via one of the following methods:
An AWS::IAM::Group with a Policies field.
An AWS::IAM::Role with a Policies field.
An AWS::IAM::Policy with a Groups or Roles field.
YAML Example Configuration¶
Group01:
Type: AWS::IAM::Group
# other required fields here
ValidPolicy01:
Type: AWS::IAM::Policy
Properties:
Groups:
- !Ref Group01
PolicyName: valid_policy_01
PolicyDocument:
Version: '2012-10-17'
Statement:
Effect: Allow
Action:
- 'ec2:StartInstances'
Resource:
- '*'
# other required fields here
Terraform¶
Ensure that IAM policy definitions are not declared inline with the aws_iam_user_policy and aws_iam_user resources or attached to aws_iam_user resources with aws_iam_policy. Instead, IAM policy definitions should be declared inline with aws_iam_group_policy and aws_iam_role_policy resources, or attached to aws_iam_group and aws_iam_role resources with aws_iam_policy.
Example Configuration¶
resource "aws_iam_group_policy" "example" {
name = "my_group_policy"
group = aws_iam_group.my_group.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"s3:ListAllMyBuckets",
]
Effect = "Deny"
},
]
})
# other required fields here
}
resource "aws_iam_group" "my_group" {
name = "my_group"
path = "/users/"
}