IAM Group Inline Policies

Query id: a58d1a2d-4078-4b80-855b-84cc3f7f4540
Query name: IAM Group Inline Policies
Platform: CloudFormation
Severity: Medium
Category: Access Control
CWE: 286
URL: Github

Description¶

IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - yaml file

< De Re

Positive test num. 2 - json file

/span>

AWSTemplateFormatVersion: "2010-09-09" scription: A sample template sources: myuser: Type: AWS::IAM::Group Properties: Path: "/" LoginProfile: Password: myP@ssW0rd class="w">        Policies: - PolicyName: giveaccesstoqueueonly PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - sqs:* Resource: - !GetAtt myqueue.Arn - Effect: Deny Action: - sqs:* NotResource: - !GetAtt myqueue.Arn /span>{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "A sample template", "Resources": { "myuser": { "Type": "AWS::IAM::Group", "Properties": { "Path": "/", "LoginProfile": { "Password": "myP@ssW0rd" }, class="w">        "Policies": [ { "PolicyName": "giveaccesstoqueueonly", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sqs:*" ], "Resource": [ "myqueue.Arn" ] }, { "Effect": "Deny", "Action": [ "sqs:*" ], "NotResource": [ "myqueue.Arn" ] } ] } } ] } } } }
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml fileAWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
    myuser:
      Type: AWS::IAM::Group

Negative test num. 2 - json file{
  "Description": "A sample template",
  "Resources": {
    "myuser": {
      "Type": "AWS::IAM::Group"
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09"
}