IAM users should be members of at least one group¶
Description¶
It is an IAM best practice for permissions to be managed at the group level, and therefore, for policies to be attached to groups - not users. Ensuring that a user belongs to at least one group helps prevent the user’s permissions from being managed separately.
Remediation Steps¶
AWS Console¶
Repeat the steps below for each group you want to add a user to:
Navigate to IAM.
In the left pane, choose Groups and then choose the name of the group you want to add the user to.
Choose the Users tab and then choose Add Users to Group.
Select the check box next to the users you want to add.
Choose Add Users.
AWS CLI¶
To add a user to a group, replace MY_USER_NAME
and MY_GROUP_NAME
with the name of the desired user and group:
aws iam add-user-to-group --user-name MY_USER_NAME --group-name MY_GROUP_NAME
Terraform¶
Ensure that an aws_iam_user resource is attached to an aws_iam_group resource with either aws_iam_user_group_membership or aws_iam_group_membership.
Example Configuration¶
resource "aws_iam_user" "user" {
name = "example-user"
# other required fields here
}
resource "aws_iam_group" "group" {
name = "example-group"
# other required fields here
}
resource "aws_iam_group_membership" "membership" {
name = "example-membership"
users = [
aws_iam_user.user.name,
]
group = aws_iam_group.group.name
}