Skip to content

Not all IAM users are members of at least one IAM group

Description

It is generally a best practice to assign all IAM users to at least one IAM group. This can help to ensure that each user has the necessary permissions to perform their tasks and responsibilities.

By assigning users to groups, you can more easily manage the permissions for those users. For example, if you need to change the permissions for a group of users, you can simply update the group's policy rather than updating the policies for each individual user.

Fix - Buildtime

Terraform

  • Resource: aws_iam_group_membership, aws_iam_group, aws_iam_user
  • Argument: users _and _group of aws_iam_group_membership
resource "aws_iam_group_membership" "ok_group" {
  name = "tf-testing-group-membership"

  users = [
    aws_iam_user.user_good.name,
  ]

  group = aws_iam_group.group.name
}

resource "aws_iam_group" "group" {
  name = "test-group"
}

resource "aws_iam_user" "user_good" {
  name = "test-user"
}