Getting Started

Checks

AWS Checks

Home AWS001 AWS002 AWS003 AWS004 AWS005 AWS006 AWS007 AWS008 AWS009 AWS010 AWS011 AWS012 AWS013 AWS014 AWS015 AWS016 AWS017 AWS018 AWS019 AWS020 AWS021 AWS022 AWS023 AWS024 AWS025 AWS031 AWS032 AWS033 AWS034 AWS035 AWS036 AWS037 AWS038 AWS039 AWS040 AWS041 AWS042 AWS043 AWS044 AWS045 AWS046 AWS047 AWS048 AWS049 AWS050 AWS051 AWS052 AWS053 AWS054 AWS055 AWS057

AZURE Checks

Home AZU001 AZU002 AZU003 AZU004 AZU005 AZU006 AZU007 AZU008 AZU009 AZU010 AZU011 AZU012 AZU013 AZU014 AZU015 AZU016 AZU017 AZU018 AZU019

GENERAL Checks

Home GEN001 GEN002 GEN003

GOOGLE Checks

Home GCP001 GCP002 GCP003 GCP004 GCP005 GCP006 GCP007 GCP008 GCP009 GCP010 GCP011 GCP012

Github Actions

Code Scanning Alerts PR Commenter

GCP011

IAM granted directly to user.

Explanation

Permissions should not be directly granted to users, you identify roles that contain the appropriate permissions, and then grant those roles to the user.

Granting permissions to users quickly become unwieldy and complex to make large scale changes to remove access to a particular resource.

Permissions should be granted on roles, groups, services accounts instead.

Insecure Example

The following example will fail the GCP011 check.

resource "google_project_iam_binding" "project-binding" {
	members = [
		"user:test@example.com",
		]
}

resource "google_project_iam_member" "project-member" {
	member = "user:test@example.com"
}

Secure Example

The following example will pass the GCP011 check.

resource "google_project_iam_binding" "project-binding" {
	members = [
		"group:test@example.com",
		]
}

resource "google_storage_bucket_iam_member" "bucket-member" {
	member = "serviceAccount:test@example.com"
}

Improve this page