Json Yaml User Missing Role
Description
Detects when AWS IAM Users are created in CloudFormation templates without associated IAM roles, which violates role-based access control (RBAC) best practices. Direct IAM user creation without roles can lead to overly permissive access and makes access management more difficult.
Detection Strategy
• Identifies AWS CloudFormation resource declarations of type 'AWS::IAM::User'
• Checks if the IAM User resource has associated role definitions or role assignments
• Reports a vulnerability if an IAM User is defined without proper role-based access controls
Vulnerable code example
Resources:
dangerousUser:
Type: AWS::IAM::User
Properties:
Path: /
LoginProfile:
Password: Secret123! # Vulnerable: Hardcoded credential in template
Policies:...✅ Secure code example
Resources:
RestrictedUser:
Type: AWS::IAM::User
Properties:
Path: /
LoginProfile:
Password: !Sub '{{resolve:secretsmanager:${AWS::StackName}-user-password:SecretString}}' # Secure: Password stored in Secrets Manager
Policies:...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.