Ensure cloud users don't have any direct permissions in AWS IAM Policy

MEDIUM

Description

Cloud Users have direct permissions in AWS IAM Policy. Using direct permissions is overly permissive and may lead access to sensitive resources.

Remediation

In AWS Console -

Sign in to the AWS console and go to the IAM console.
In the Navigation pane, select Policies.
In the list of policies, select the policy to edit.
Select the Permissions tab, and then choose Edit policy.
On the review page, review the changes and click Save.

In Terraform -

Rather than using an aws_iam_user_policy resource, configure the aws_iam_user and aws_iam_group to assign policies.
For more information on how to effectively write an IAM policy see the AWS and Terraform documentation.

References:
https://docs.aws.amazon.com/IAM/latest/UserGuide/service_code_examples_iam.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy

Policy Details

Rule Reference ID: AC_AWS_0431

CSP: AWS

Remediation Available: No

Domain: Identity and Access Management

Resource: aws_iam_policy

Resource Category: Identity and Access Management (IAM)

Resource Type: Policy

Frameworks

GDPR
HIPAA
ISO-27001
NIST-800-171
NIST-800-53
NIST-CSF