For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-iam-managed-policy-applied-to-a-user.md.
A documentation index is available at /llms.txt.
Attaching AWS managed IAM policies directly to individual users increases the risk of privilege sprawl and inconsistent permissions. It also makes auditing and centralized access control harder. Assigning policies to groups enforces consistent role-based access and simplifies permission management.
In CloudFormation, validate AWS::IAM::ManagedPolicy resources: the Users property must not be populated (non-empty array). Instead, assign the managed policy via the Groups property (an array of group names or references) or attach the policy to AWS::IAM::Group resources. Resources with Users defined will be flagged. Remove Users and use Groups (or group attachments) to centrally manage access.
Resources:CreateTestDBPolicy:Type:'AWS::IAM::ManagedPolicy'Properties:Description:Policy for creating a test databasePath:/PolicyDocument:Version:2012-10-17Statement:[]Groups:- TestGroup
{"Resources":{"CreateTestDBPolicy":{"Type":"AWS::IAM::ManagedPolicy","Properties":{"Path":"/","PolicyDocument":{"Statement":[],"Version":"2012-10-17T00:00:00Z"},"Groups":["TestGroup"],"Description":"Policy for creating a test database"}}}}
Non-Compliant Code Examples
Resources:CreateTestDBPolicy:Type:'AWS::IAM::ManagedPolicy'Properties:Description:Policy for creating a test databasePath:/PolicyDocument:Version:2012-10-17Statement:[]Users:- TestUser
{"Resources":{"CreateTestDBPolicy":{"Type":"AWS::IAM::ManagedPolicy","Properties":{"Path":"/","PolicyDocument":{"Statement":[],"Version":"2012-10-17T00:00:00Z"},"Users":["TestUser"],"Description":"Policy for creating a test database"}}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
