AWS IAM Policy Attached To Users

This policy identifies IAM policies attached to user. By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users.

Policy Details

Policy Subtype
Run, Build
Severity
Low
Template Type
Terraform, CloudFormation

Build Rules

AWS IAM policy attached to users.
JSON Queries:
CloudFormation
$.Resources.*[?(@.Type=='AWS::IAM::Policy')].Properties.Users exists and $.Resources.*[?(@.Type=='AWS::IAM::Policy')].Properties.Users[*] is not empty
Terraform
$.resource[*].aws_iam_policy_attachment[*].*[*].users exists and $.resource[*].aws_iam_policy_attachment[*].*[*].users[*] is not empty
Recommendations:
  • CloudFormation
    Recommended solution for not having IAM policies attached to Users.
    It is recommended that IAM Policies should not be attached to users. Please make sure that either the "Users" attribute doesn't exists or it is empty.
    For example:
    "Properties":{ "PolicyName":"root", "PolicyDocument":{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"*", "Resource":"*" } ] }, "Users":[ ] }
  • Terraform
    Recommended solution for making sure IAM policy is not applied to users.
    It is recommended that IAM policies be applied directly to groups and roles but not users. Please make sure your template does not have "users" attribute under "aws_iam_policy_attachment" block.
    For example:
    "aws_iam_policy_attachment": [ { "<iam_policy_attachment_name>": [ { "groups": [ "${aws_iam_group.group.name}" ], "name": "test-attachment", "policy_arn": "${aws_iam_policy.policy.arn}", "roles": [ "${aws_iam_role.role.name}" ] } ] } ]

Run Rule Recommendation

  1. Sign in to the AWS Console.
  2. Navigate to the 'IAM' service.
  3. Identify the users that were specifically assigned to the reported IAM policy.
  4. If a group with a similar policy already exists, put the user into that group. If such a group does not exist, create a new group with relevant policy and assign the user to the group.

Compliance

There are 13 standards that are applicable to this policy:
  • HIPAA
  • MITRE ATT&CK [Beta]
  • NIST 800-171 Rev1
  • CIS v1.2.0 (AWS)
  • NIST 800-53 Rev4
  • HITRUST CSF v9.3
  • NIST CSF
  • ISO 27001:2013
  • GDPR
  • CSA CCM v3.0.1
  • SOC 2
  • PIPEDA
  • CCPA 2018

Recommended For You