User with IAM Role

  • Query id: 704fcc44-a58f-4af5-82e2-93f2a58ef918
  • Query name: User with IAM Role
  • Platform: Terraform
  • Severity: Low
  • Category: Access Control
  • CWE: 284
  • URL: Github

Description

As a best practice, it is better to assign an IAM Role to a group than to a user
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
data "google_iam_policy" "positive" {
  binding {
    role = "roles/apigee.runtimeAgent"

    members = [
      "user:jane@example.com",
    ]
  }
}
Positive test num. 2 - tf file
resource "google_project_iam_binding" "positive2" {
  project = "your-project-id"
  role    = "roles/container.admin"

  members = [
    "user:jane@example.com",
  ]

  condition {
    title       = "expires_after_2019_12_31"
    description = "Expiring at midnight of 2019-12-31"
    expression  = "request.time < timestamp(\"2020-01-01T00:00:00Z\")"
  }
}

resource "google_project_iam_member" "positive3" {
  project = "your-project-id"
  role    = "roles/editor"
  member  = "user:jane@example.com"
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
data "google_iam_policy" "negative" {
  binding {
    role = "roles/apigee.runtimeAgent"

    members = [
      "group:jane@example.com",
    ]
  }
}