IAM Policies Without Groups

Query id: 5e7acff5-095b-40ac-9073-ac2e4ad8a512
Query name: IAM Policies Without Groups
Platform: CloudFormation
Severity: Low
Category: Best Practices
URL: Github

Description¶

IAM policy should not apply directly to users, should be with a group
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Postitive test num. 1 - yaml file

 De Re

Postitive test num. 2 - json file

AWSTemplateFormatVersion: "2010-09-09" scription: A sample template sources: myuser: Type: AWS::IAM::Policy Properties: Path: "/" LoginProfile: Password: myP@ssW0rd Policies: - PolicyName: giveaccesstoqueueonly PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - sqs:* Resource: - !GetAtt myqueue.Arn - Effect: Deny Action: - sqs:* NotResource: - !GetAtt myqueue.Arn class="w">          Users: - existinguser1 - existinguser2 { "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", "Resources": { "myuser": { "Type": "AWS::IAM::Policy", "Properties": { "Path": "/", "LoginProfile": { "Password": "myP@ssW0rd" }, "Policies": [ { "PolicyName": "giveaccesstoqueueonly", "PolicyDocument": { "Statement": [ { "Effect": "Allow", "Action": [ "sqs:*" ], "Resource": [ "myqueue.Arn" ] }, { "Effect": "Deny", "Action": [ "sqs:*" ], "NotResource": [ "myqueue.Arn" ] } ], "Version": "2012-10-17" }, class="w">            "Users": [ "existinguser1", "existinguser2" ] } ] } } } }
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml fileAWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
    myuser:
      Type: AWS::IAM::Policy
      Properties:
        Path: "/"
        LoginProfile:
          Password: myP@ssW0rd
        Policies:
        - PolicyName: giveaccesstoqueueonly
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
            - Effect: Allow
              Action:
              - sqs:*
              Resource:
              - !GetAtt myqueue.Arn
            - Effect: Deny
              Action:
              - sqs:*
              NotResource:
              - !GetAtt myqueue.Arn
          Groups:
            - myexistinggroup1

Negative test num. 2 - json file{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "A sample template",
  "Resources": {
    "myuser": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "Policies": [
          {
            "PolicyName": "giveaccesstoqueueonly",
            "PolicyDocument": {
              "Statement": [
                {
                  "Resource": [
                    "myqueue.Arn"
                  ],
                  "Effect": "Allow",
                  "Action": [
                    "sqs:*"
                  ]
                },
                {
                  "Effect": "Deny",
                  "Action": [
                    "sqs:*"
                  ],
                  "NotResource": [
                    "myqueue.Arn"
                  ]
                }
              ],
              "Version": "2012-10-17"
            },
            "Groups": [
              "myexistinggroup1"
            ]
          }
        ],
        "Path": "/",
        "LoginProfile": {
          "Password": "myP@ssW0rd"
        }
      }
    }
  }
}