AWS IAM policy attached to users
Description
This policy identifies IAM policies attached to user. By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups but not users.
Code Example
go
resource "aws_iam_policy_attachment" "fail" {
name = "example"
policy_arn = "aws_iam_policy.policy.arn"
- users = ["example"]
}Remediation
Terraform
To fix this issue, ensure that IAM policies are not directly attached to users. Instead, attach the policies to groups or roles.
Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0094 |
| Severity | LOW |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_40 |