Ensure cloud users don't have any direct permissions in AWS IAM User Policy

MEDIUM

Description

Cloud users have direct permissions attached using inline policy. This increases the attach surface for your AWS account.

Remediation

AWS recommends adding a user to a group rather than directly to a user for easier user permission management.

In AWS Console -

  1. Sign in to the AWS Console and open the IAM Console.
  2. Under Access Management, select Users.
  3. Choose the user you wish to edit.
  4. Remove any inline permission policies and add the user to the designated group.

In Terraform -
Rather than using the aws_iam_user_policy resource to attach an inline policy directly to a user, use aws_iam_group_membership to designate the users in a specific group.

References:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_membership

Policy Details

Rule Reference ID: AC_AWS_0470
CSP: AWS
Remediation Available: No
Resource Type: Policy

Frameworks