Terraform Policy Attached To User
Description
Detects when IAM policies are attached directly to AWS users rather than through groups. Direct policy attachments to users create management overhead and increase the risk of privilege escalation since individual user permissions become harder to track and audit.
Detection Strategy
• Identifies Terraform resource blocks of type 'aws_iam_user_policy'
• Checks if the resource has both a 'policy' and 'user' attribute defined
• Reports a vulnerability when a policy is being directly attached to a user rather than through a group
Vulnerable code example
resource "aws_iam_user_policy" "lb_policy" {
name = "unsafe_policy"
user = aws_iam_user.lb.name # Vulnerable: Directly binding policy to IAM user without restrictions
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [...✅ Secure code example
# Create a managed policy with least privilege permissions
resource "aws_iam_policy" "lb_policy" {
name = "load_balancer_policy"
description = "Limited permissions policy for load balancer operations"
policy = jsonencode({
Version = "2012-10-17"
Statement = [...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.