Ensure that IAM policy is not directly attached to a user
If the IAM policy is directly attached to a user, it increases the security management overhead. Attach policy to a group or a role, instead of a user.
Risk Level: Low
Cloud Entity: AWS IAM Policy
CloudGuard Rule ID: D9.CFT.IAM.17
Covered by Spectral: Yes
Category: Security, Identity, & Compliance
GSL LOGIC
AWS_IAM_Policy should not have Users
REMEDIATION
From CFT
Remove AWS::IAM::Policy Users
property. Attach the policy to a role or a group instead.
References
- https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_attach-policy.html
AWS IAM Policy
You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents.
Compliance Frameworks
- AWS CloudFormation ruleset
Updated over 1 year ago