For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-iam-groups-inline-policies.md. A documentation index is available at /llms.txt.

IAM group inline policies

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-iam-groups-inline-policies

Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Access Control

Learn More

Description

IAM groups should not contain inline policies because inline policies are tightly coupled to the group’s lifecycle and are harder to audit, review, and reuse. This increases risk of accidental loss of permissions and inconsistent access control when groups are modified or deleted.

In CloudFormation, check AWS::IAM::Group resources and ensure the Properties.Policies attribute is undefined or empty. Use reusable managed policies instead by specifying ManagedPolicyArns or creating AWS::IAM::ManagedPolicy resources and referencing them. Resources with a non-empty Policies list will be flagged as a security risk.

Secure configuration example (attach managed policies rather than inline policies):

MyGroup:
  Type: AWS::IAM::Group
  Properties:
    GroupName: Devs
    ManagedPolicyArns:
      - arn:aws:iam::aws:policy/ReadOnlyAccess

Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
    myuser:
      Type: AWS::IAM::Group

{
  "Description": "A sample template",
  "Resources": {
    "myuser": {
      "Type": "AWS::IAM::Group"
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09"
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
    myuser:
      Type: AWS::IAM::Group
      Properties:
        Path: "/"
        LoginProfile:
          Password: myP@ssW0rd
        Policies:
        - PolicyName: giveaccesstoqueueonly
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
            - Effect: Allow
              Action:
              - sqs:*
              Resource:
              - !GetAtt myqueue.Arn
            - Effect: Deny
              Action:
              - sqs:*
              NotResource:
              - !GetAtt myqueue.Arn

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "A sample template",
  "Resources": {
    "myuser": {
      "Type": "AWS::IAM::Group",
      "Properties": {
        "Path": "/",
        "LoginProfile": {
          "Password": "myP@ssW0rd"
        },
        "Policies": [
          {
            "PolicyName": "giveaccesstoqueueonly",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "sqs:*"
                  ],
                  "Resource": [
                    "myqueue.Arn"
                  ]
                },
                {
                  "Effect": "Deny",
                  "Action": [
                    "sqs:*"
                  ],
                  "NotResource": [
                    "myqueue.Arn"
                  ]
                }
              ]
            }
          }
        ]
      }
    }
  }
}