Ensure that a customer managed IAM policy is not directly attached to a user
If a managed IAM policy is directly attached to a user, it increases the security management overhead. Attach policy to a group or a role, instead of a user.
Risk Level: Low
Cloud Entity: AWS Managed Policy
CloudGuard Rule ID: D9.CFT.IAM.18
Covered by Spectral: No
Category: Security, Identity, & Compliance
GSL LOGIC
AWS_IAM_ManagedPolicy should not have Users
REMEDIATION
From CFT
Remove AWS::IAM::ManagedPolicy Users
property. Attach the policy to a role or a group instead.
References
- https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html
AWS Managed Policy
AWS managed policies are designed to provide permissions for many common use cases. Full access AWS managed policies such as AmazonDynamoDBFullAccess and IAMFullAccess define permissions for service administrators by granting full access to a service. Power-user AWS managed policies such as AWSCodeCommitPowerUser and AWSKeyManagementServicePowerUser are designed for power users. Partial-access AWS managed policies such as AmazonMobileAnalyticsWriteOnlyAccess and AmazonEC2ReadOnlyAccess provide specific levels of access to AWS services without allowing permissions management access level permissions. AWS managed policies make it easier for you to assign appropriate permissions to users, groups, and roles than if you had to write the policies yourself.
Compliance Frameworks
- AWS CloudFormation ruleset
Updated over 1 year ago