IAM Policy On User

• Query id: e4239438-e639-44aa-adb8-866e400e3ade
• Query name: IAM Policy On User
• Platform: CloudFormation
• Severity: Medium
• Category: Access Control
• URL: Github

Description

IAM policies should be applied to groups and not to users
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

#this is a problematic code where the query should report a result(s)
Resources:
  BadPolicy:
    Type: AWS::IAM::Policy
    Properties:
      Description: Policy for something.
      Path: "/"
      PolicyDocument:
        Version: '2012-10-17'
        Statement: []
      Users:
      - Ref: TestUser

Positive test num. 2 - json file

{
  "Resources": {
    "BadPolicy": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "Description": "Policy for something.",
        "Path": "/",
        "PolicyDocument": {
          "Statement": [],
          "Version": "2012-10-17"
        },
        "Users": [
          {
            "Ref": "TestUser"
          }
        ]
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

#this code is a correct code for which the query should not find any result
Resources:
  GoodPolicy:
    Type: AWS::IAM::Policy
    Properties:
      Description: Policy for something.
      Path: "/"
      PolicyDocument:
        Version: '2012-10-17'
        Statement: []
      Groups:
      - user_group

Negative test num. 2 - json file

{
  "Resources": {
    "GoodPolicy": {
      "Properties": {
        "Description": "Policy for something.",
        "Path": "/",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": []
        },
        "Groups": [
          "user_group"
        ]
      },
      "Type": "AWS::IAM::Policy"
    }
  }
}