Ensure cloud users don't have any direct permissions in AWS IAM User Policy Attachment

MEDIUM

Description

Cloud Users have direct permissions in AWS IAM User Policy Attachment.

Remediation

AWS recommends adding a user to a group rather than directly to a user for easier user permission management.

In AWS Console -

Sign in to the AWS Console and open the IAM Console.
Under Access Management, select Users.
Choose the user you wish to edit.
Remove any inline permission policies and add the user to the designated group.

In Terraform -
Rather than using the aws_iam_user_policy_attachment resource to attach an inline policy directly to a user, use aws_iam_group_membership to designate the users in a specific group.

References:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_membership

Policy Details

Rule Reference ID: AC_AWS_0433

CSP: AWS

Remediation Available: No

Domain: Identity and Access Management

Resource: aws_iam_user_policy_attachment

Resource Category: Identity and Access Management (IAM)

Resource Type: Policy

Frameworks

GDPR
HIPAA
ISO-27001
NIST-800-171
NIST-800-53
NIST-CSF

Detections

Analytics