IAM policy is attached to user

ID

aws_iam_policy_user

Severity

low

Vendor

AWS

Resource

IAM

Tags

reachable

Description

IAM policy is attached to user and should be attached only to groups or roles. It is more efficient attach the policy to groups or roles than users.

To fix it, you must configure the policy for users or groups, iam_type must be group or role.

Learn more about this topic at AWS Attach IAM policy.

Examples

- name: Example
  amazon.aws.iam_policy:
    iam_type: user
    iam_name: "{{ item.user }}"
    policy_name: "s3_limited_access_{{ item.prefix }}"
    state: present
    policy_json: "{{ lookup('template', 's3_policy.json.j2') }}"
    loop:
      - user: s3_user
        prefix: s3_user_prefix

Mitigation / Fix

- name: Create Two Groups
  community.aws.iam_group:
    name: "{{ item }}"
    state: present
  loop:
     - Group1
     - group2
  register: new_groups

- name: Apply policy to new groups that have been recently created
  amazon.aws.iam_policy:
    iam_type: group
    iam_name: "{{ item.iam_group.group.group_name }}"
    policy_name: "READ-ONLY"
    policy_json: "{{ lookup('template', 'readonly.json.j2') }}"
    state: present
  loop: "{{ new_groups.results }}"