github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/no_user_attached_policies.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/no_user_attached_policies.go (about)

     1  package iam
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/pkg/framework"
     5  
     6  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    11  
    12  	"github.com/khulnasoft-lab/defsec/internal/rules"
    13  
    14  	"github.com/khulnasoft-lab/defsec/pkg/providers"
    15  )
    16  
    17  var checkNoUserAttachedPolicies = rules.Register(
    18  	scan.Rule{
    19  		AVDID:     "AVD-AWS-0143",
    20  		Provider:  providers.AWSProvider,
    21  		Service:   "iam",
    22  		ShortCode: "no-user-attached-policies",
    23  		Frameworks: map[framework.Framework][]string{
    24  			framework.Default:     nil,
    25  			framework.CIS_AWS_1_2: {"1.16"},
    26  			framework.CIS_AWS_1_4: {"1.15"},
    27  		},
    28  		Summary:    "IAM policies should not be granted directly to users.",
    29  		Impact:     "Complex access control is difficult to manage and maintain.",
    30  		Resolution: "Grant policies at the group level instead.",
    31  		Explanation: `
    32  CIS recommends that you apply IAM policies directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity might in turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.
    33  			`,
    34  		Links: []string{
    35  			"https://console.aws.amazon.com/iam/",
    36  		},
    37  		Terraform: &scan.EngineMetadata{
    38  			GoodExamples:        terraformNoUserAttachedPoliciesGoodExamples,
    39  			BadExamples:         terraformNoUserAttachedPoliciesBadExamples,
    40  			Links:               terraformNoUserAttachedPoliciesLinks,
    41  			RemediationMarkdown: terraformNoUserAttachedPoliciesRemediationMarkdown,
    42  		},
    43  		Severity: severity.Low,
    44  	},
    45  	func(s *state.State) (results scan.Results) {
    46  		for _, user := range s.AWS.IAM.Users {
    47  			if len(user.Policies) > 0 {
    48  				results.Add("One or more policies are attached directly to a user", &user)
    49  			} else {
    50  				results.AddPassed(&user)
    51  			}
    52  		}
    53  		return
    54  	},
    55  )