Terraform Missing Role Based Security
Description
Detects when AWS IAM policies are directly attached to users instead of using role-based access control (RBAC). Direct user policies can lead to privilege management issues and violate the principle of least privilege, making access control harder to audit and maintain.
Detection Strategy
• Identifies Terraform resources of type 'aws_iam_user_policy' in infrastructure code
• Reports a security issue when an IAM policy is directly attached to a user through the aws_iam_user_policy resource
• Recommends using IAM roles and role-based access control instead of direct user policies
Vulnerable code example
resource "aws_iam_user_policy" "insecure_policy" {
name = "test" # Vulnerable: Creates IAM policy with overly permissive access
user = aws_iam_user.app.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = ["ec2:Describe*"]
Effect = "Allow"...✅ Secure code example
resource "aws_iam_user_policy" "secure_policy" {
name = "ec2_describe_policy" # Clear, specific name indicating policy purpose
user = aws_iam_user.app.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = ["ec2:DescribeInstances"] # Specific action instead of wildcard
Effect = "Allow"...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.