IAM group without users

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: f509931b-bbb0-443c-bd9b-10e92ecf2193

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Access Control

Learn More

Description

IAM groups should include at least one user to ensure group membership and any attached permissions are intentional, auditable, and not left orphaned.

This rule checks Ansible amazon.aws.iam_group and iam_group tasks and requires the users property to be defined and non-null (a list containing one or more usernames). Resources missing the users property or with users: null or an empty list are flagged. Either populate the list with the intended usernames or remove unused groups and associated policies.

Secure configuration example:

- name: Create developers IAM group with users
  amazon.aws.iam_group:
    name: developers
    users:
      - alice
      - bob
    state: present

Compliant Code Examples

- name: Group3
  iam_group:
    name: testgroup2
    managed_policy:
      - arn:aws:iam::aws:policy/AmazonSNSFullAccess
    users:
      - test_user1
      - test_user2
    state: present

Non-Compliant Code Examples

- name: Group2
  iam_group:
    name: testgroup2
    managed_policy:
      - arn:aws:iam::aws:policy/AmazonSNSFullAccess
    users:
    state: present

- name: Group1
  iam_group:
    name: testgroup1
    state: present