IAM Group Without Users
- Query id: fc101ca7-c9dd-4198-a1eb-0fbe92e80044
- Query name: IAM Group Without Users
- Platform: Terraform
- Severity: Medium
- Category: Access Control
- CWE: 284
- URL: Github
Description¶
IAM Group should have at least one user associated
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_iam_group_membership" "team2" {
name = "tf-testing-group-membership"
users = [
aws_iam_user.user_one2.name,
aws_iam_user.user_two2.name,
]
group = aws_iam_group.group222.name
}
resource "aws_iam_group" "group2" {
name = "test-group"
}
resource "aws_iam_user" "user_one2" {
name = "test-user"
}
resource "aws_iam_user" "user_two2" {
name = "test-user-two"
}
resource "aws_iam_group_membership" "team3" {
name = "tf-testing-group-membership"
users = [
]
group = aws_iam_group.group3.name
}
resource "aws_iam_group" "group3" {
name = "test-group"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_iam_group_membership" "team" {
name = "tf-testing-group-membership"
users = [
aws_iam_user.user_one.name,
aws_iam_user.user_two.name,
]
group = aws_iam_group.group.name
}
resource "aws_iam_group" "group" {
name = "test-group"
}
resource "aws_iam_user" "user_one" {
name = "test-user"
}
resource "aws_iam_user" "user_two" {
name = "test-user-two"
}
Negative test num. 2 - tf file
resource "aws_iam_user" "user_one" {
name = "user_one-example"
}
resource "aws_iam_group" "example_external_users" {
name = "example-external-users"
}
resource "aws_iam_user_group_membership" "programmatic_user_membership" {
user = aws_iam_user.user_one.name
groups = [aws_iam_group.example_external_users.name]
}
Negative test num. 3 - tf file
resource "aws_iam_group" "group1" {
name = "test"
}
resource "aws_iam_user_group_membership" "user_group_membership" {
user = var.user_iam
groups = aws_iam_group.group1.name
}
resource "aws_iam_group_policy_attachment" "group_attachment" {
group = aws_iam_group.group1.name
policy_arn = aws_iam_policy.ECR_policy.arn
}