--- title: SSO identity user unsafe creation description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > SSO identity user unsafe creation --- # SSO identity user unsafe creation {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-sso-identity-user-unsafe-creation` **Provider:** AWS **Platform:** Terraform **Severity:** Medium **Category:** Access Control #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_user) ### Description{% #description %} Using the `aws_identitystore_user` resource in Terraform to create AWS SSO users directly can result in misalignment between your AWS identities and external Identity Providers (IdPs) such as Active Directory. Because these users are not automatically synchronized with external directories, this configuration can introduce inconsistencies, orphaned accounts, or the risk of unauthorized access if users are not properly managed or deprovisioned. If left unaddressed, this may compromise the integrity of access controls and leave your AWS environment vulnerable to privilege escalation or account misuse. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_ssoadmin_permission_set_inline_policy" "neg1" { instance_arn = aws_ssoadmin_permission_set.example.instance_arn permission_set_arn = aws_ssoadmin_permission_set.example.arn inline_policy = <