IAM policies are not only attached to Groups and Roles

Description

By default, IAM users, groups, and roles are granted no access to AWS resources. IAM policies are utilized to define and grant permissions to users, groups, or roles.

Assigning permissions at the group or role level simplifies access management as the user base scales. This approach helps minimize the complexity of managing privileges, reducing the likelihood that a principal will inadvertently be assigned excessive or inappropriate access rights.

It is recommended to apply IAM policies directly to groups and roles, rather than to individual users, to streamline access control and ensure adherence to the principle of least privilege.

Fix - Buildtime

  • Resource: AWS::IAM::Policy
  • Arguments: Properties.Users
Resources:
  ExamplePolicy:
    Type: 'AWS::IAM::Policy'
    Properties:
      ...
-     Users:
-       - example_user
ReLambda