IAM policies attached to user

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > IAM policies attached to user

Metadata

Id: eafe4bc3-1042-4f88-b988-1939e64bf060

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Access Control

Learn More

Provider Reference

Description

Attaching IAM policies directly to individual IAM users increases the risk of privilege sprawl, makes permissions harder to audit and revoke, and magnifies impact if a user’s credentials are compromised.

For Ansible amazon.aws.iam_policy or iam_policy tasks, the iam_type property must be set to group or role rather than user. Resources missing the iam_type property or with iam_type set to user are flagged. Attach policies to groups or roles to centralize permission management and enable role-based access patterns.

Secure example (attach policy to a role):

- name: Attach policy to role
  amazon.aws.iam_policy:
    name: my-policy
    policy_document: "{{ lookup('file', 'my-policy.json') }}"
    iam_type: role
    iam_name: my-role

Compliant Code Examples

- name: Assign a policy called Admin to the administrators group
  amazon.aws.iam_policy:
    iam_type: group
    iam_name: administrators
    policy_name: Admin
    state: present
    policy_document: admin_policy.json

Non-Compliant Code Examples

- name: Assign a policy called Admin to user
  amazon.aws.iam_policy:
    iam_type: user
    iam_name: administrators
    policy_name: Admin
    state: present
    policy_document: admin_policy.json