Not all IAM users are members of at least one IAM group

Description

It is considered a best practice to assign all IAM users to at least one IAM group to streamline permission management and ensure users are granted the appropriate access levels to perform their duties.

By associating users with IAM groups, administrators can efficiently manage and enforce permissions at the group level. This approach simplifies permission updates—modifying a group’s policy automatically applies changes to all group members, eliminating the need for individual policy adjustments for each user. This enhances scalability and reduces administrative overhead in complex environments.

Fix - Buildtime

Terraform

  • Resource: aws_iam_group_membership, aws_iam_group, aws_iam_user
  • Argument: users _and _group of aws_iam_group_membership
resource "aws_iam_group_membership" "ok_group" {
  name = "tf-testing-group-membership"

  users = [
    aws_iam_user.user_good.name,
  ]

  group = aws_iam_group.group.name
}

resource "aws_iam_group" "group" {
  name = "test-group"
}

resource "aws_iam_user" "user_good" {
  name = "test-user"
}
ReLambda