Ce produit n'est pas pris en charge par le
site Datadog que vous avez sélectionné. (
).
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Id: f509931b-bbb0-443c-bd9b-10e92ecf2193
Cloud Provider: AWS
Platform: Ansible
Severity: Medium
Category: Access Control
Learn More
Description
IAM groups should include at least one user to ensure group membership and any attached permissions are intentional, auditable, and not left orphaned.
This rule checks Ansible amazon.aws.iam_group and iam_group tasks and requires the users property to be defined and non-null (a list containing one or more usernames). Resources missing the users property or with users: null or an empty list are flagged. Either populate the list with the intended usernames or remove unused groups and associated policies.
Secure configuration example:
- name: Create developers IAM group with users
amazon.aws.iam_group:
name: developers
users:
- alice
- bob
state: present
Compliant Code Examples
- name: Group3
iam_group:
name: testgroup2
managed_policy:
- arn:aws:iam::aws:policy/AmazonSNSFullAccess
users:
- test_user1
- test_user2
state: present
Non-Compliant Code Examples
- name: Group2
iam_group:
name: testgroup2
managed_policy:
- arn:aws:iam::aws:policy/AmazonSNSFullAccess
users:
state: present
- name: Group1
iam_group:
name: testgroup1
state: present
