IAM Managed Policy Applied to a User

• Query id: 0e5872b4-19a0-4165-8b2f-56d9e14b909f
• Query name: IAM Managed Policy Applied to a User
• Platform: CloudFormation
• Severity: Medium
• Category: Best Practices
• URL: Github

Description

Make sure that any managed IAM policies are implemented in a group and not in a user.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

Resources:
  CreateTestDBPolicy:
    Type: 'AWS::IAM::ManagedPolicy'
    Properties:
      Description: Policy for creating a test database
      Path: /
      PolicyDocument:
        Version: 2012-10-17
        Statement: []
      Users:
        - TestUser

Positive test num. 2 - json file

{
  "Resources": {
    "CreateTestDBPolicy": {
      "Type": "AWS::IAM::ManagedPolicy",
      "Properties": {
        "Path": "/",
        "PolicyDocument": {
          "Statement": [],
          "Version": "2012-10-17T00:00:00Z"
        },
        "Users": [
          "TestUser"
        ],
        "Description": "Policy for creating a test database"
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

Resources:
  CreateTestDBPolicy:
    Type: 'AWS::IAM::ManagedPolicy'
    Properties:
      Description: Policy for creating a test database
      Path: /
      PolicyDocument:
        Version: 2012-10-17
        Statement: []
      Groups:
        - TestGroup

Negative test num. 2 - json file

{
  "Resources": {
    "CreateTestDBPolicy": {
      "Type": "AWS::IAM::ManagedPolicy",
      "Properties": {
        "Path": "/",
        "PolicyDocument": {
          "Statement": [],
          "Version": "2012-10-17T00:00:00Z"
        },
        "Groups": [
          "TestGroup"
        ],
        "Description": "Policy for creating a test database"
      }
    }
  }
}