Not all IAM users are members of at least one IAM group
Description
It is generally a best practice to assign all IAM users to at least one IAM group. This can help to ensure that each user has the necessary permissions to perform their tasks and responsibilities. By assigning users to groups, you can more easily manage the permissions for those users. For example, if you need to change the permissions for a group of users, you can simply update the group's policy rather than updating the policies for each individual user.
Code Example
go
{
"resource "aws_iam_group_membership" "ok_group" {
name = "tf-testing-group-membership"
users = [
aws_iam_user.user_good.name,
]
group = aws_iam_group.group.name
}
resource "aws_iam_group" "group" {
name = "test-group"
}
resource "aws_iam_user" "user_good" {
name = "test-user"
}
",
}Remediation
Terraform
- Resource: aws_iam_group_membership, aws_iam_group, aws_iam_user
- Arguments: users *and *group of aws_iam_group_membership
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0458 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_AWS_21 |