IAM Group Without Users

• Query id: fc101ca7-c9dd-4198-a1eb-0fbe92e80044
• Query name: IAM Group Without Users
• Platform: Terraform
• Severity: Medium
• Category: Access Control
• URL: Github

Description

IAM Group should have at least one user associated
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "aws_iam_group_membership" "team2" {
  name = "tf-testing-group-membership"

  users = [
    aws_iam_user.user_one2.name,
    aws_iam_user.user_two2.name,
  ]

  group = aws_iam_group.group222.name
}

resource "aws_iam_group" "group2" {
  name = "test-group"
}

resource "aws_iam_user" "user_one2" {
  name = "test-user"
}

resource "aws_iam_user" "user_two2" {
  name = "test-user-two"
}

resource "aws_iam_group_membership" "team3" {
  name = "tf-testing-group-membership"

  users = [
  ]

  group = aws_iam_group.group3.name
}

resource "aws_iam_group" "group3" {
  name = "test-group"
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "aws_iam_group_membership" "team" {
  name = "tf-testing-group-membership"

  users = [
    aws_iam_user.user_one.name,
    aws_iam_user.user_two.name,
  ]

  group = aws_iam_group.group.name
}

resource "aws_iam_group" "group" {
  name = "test-group"
}

resource "aws_iam_user" "user_one" {
  name = "test-user"
}

resource "aws_iam_user" "user_two" {
  name = "test-user-two"
}