Severity Framework
Snyk CCSS
Rule category
IAM / Policy
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
AWS-Well-Architected
CIS-AWS
CIS-Controls
CSA-CCM
HIPAA
- Snyk ID SNYK-CC-00030
- credit Snyk Research Team
Description
Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity may reduce opportunity for a principal to inadvertently receive or retain excessive privileges.
How to fix?
Use aws_iam_group_policy or aws_iam_role_policy resources to declare the policy inline, or attach the policy to aws_iam_group or aws_iam_role resources.
- Ensure that IAM policy definitions are not declared inline with the aws_iam_user_policy and aws_iam_user resources or attached to aws_iam_user resources with aws_iam_policy. Instead, IAM policy definitions should be declared inline with aws_iam_group_policy and aws_iam_role_policy resources, or attached to aws_iam_group and aws_iam_role resources with aws_iam_policy.
- Ensure that IAM policy definitions are not declared using aws_iam_policy_attachment, as it creates exclusive attachments of IAM policies across the entire AWS account. Instead, consider aws_iam_role_policy_attachment, aws_iam_user_policy_attachment, or aws_iam_group_policy_attachment.
Example Configuration
resource "aws_iam_group_policy" "example" {
name = "my_group_policy"
group = aws_iam_group.my_group.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"s3:ListAllMyBuckets",
]
Effect = "Deny"
},
]
})
# other required fields here
}
resource "aws_iam_group" "my_group" {
name = "my_group"
path = "/users/"
}