AWS IAM Group Policy Attachment

This page shows how to write Terraform and CloudFormation for IAM Group Policy Attachment and write them securely.

aws_iam_group_policy_attachment (Terraform)

The Group Policy Attachment in IAM can be configured in Terraform with the resource name aws_iam_group_policy_attachment. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

users.tf#L24
resource "aws_iam_group_policy_attachment" "notd_users_read_from_notd_queue" {
  group = aws_iam_group.notd_users.name
  policy_arn = aws_iam_policy.read_from_notd_queue.arn
}

resource "aws_iam_group_policy_attachment" "notd_users_read_from_notd_queue_dl" {
iam-groups.tf#L7
resource "aws_iam_group_policy_attachment" "admins_administratoraccess" {
  group      = aws_iam_group.admins.name
  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}

# IAM group: AWSOrganisationsAdmin
iam.tf#L5
resource "aws_iam_group_policy_attachment" "attach_ec2_full_access" {
  group      = aws_iam_group.kops.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
}

resource "aws_iam_group_policy_attachment" "attach_route53_full_access" {
iam-attachments.tf#L5
resource "aws_iam_group_policy_attachment" "admindatalake-attach1" {
  group      = aws_iam_group.admindatalake.name
  policy_arn = aws_iam_policy.rw_raw_staging.arn
}

resource "aws_iam_group_policy_attachment" "admindatalake-attach2" {
aws_iam_policy_attachements.tf#L1
resource "aws_iam_group_policy_attachment" "business_owner" {
  group      = aws_iam_group.budget_owner.name
  policy_arn = aws_iam_policy.business_owner.arn
}

resource "aws_iam_group_policy_attachment" "budget_owner" {

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

Explanation in Terraform Registry

Attaches a Managed IAM Policy to an IAM group

NOTE: The usage of this resource conflicts with the aws_iam_policy_attachment resource and will permanently show a difference if both are defined.

Tips: Best Practices for The Other AWS IAM Resources

In addition to the aws_iam_account_password_policy, AWS IAM has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_iam_account_password_policy

Ensure AWS IAM account password policies requires long passwords

It's better to enforce the use of long and complex passwords to reduce the risk of bruteforce attacks.

Review your AWS IAM settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::IAM::Group (CloudFormation)

The Group in IAM can be configured in CloudFormation with the resource name AWS::IAM::Group. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

dev.yml#L3
    Type: AWS::IAM::Group
    Properties:
      GroupName: Admins
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AdministratorAccess

groups.yml#L3
    Type: "AWS::IAM::Group"
    DeletionPolicy: Retain
    Properties:
      GroupName: PrimeAdmins
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AdministratorAccess
groups.yml#L3
    Type: "AWS::IAM::Group"
    Properties:
      GroupName: PrimeAdmins
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AdministratorAccess

creategroups.yml#L20
    Type: AWS::IAM::Group
    Properties:
      GroupName: !Ref DevgroupName
  AdministratorGroup:
    Type: AWS::IAM::Group
    Properties:
iam_user_with_two_additions.yml#L14
    Type: "AWS::IAM::Group"
    Properties:
      GroupName: "groupA"

  groupB:
    Type: "AWS::IAM::Group"
CloudFormation.json#L6
            "Type": "AWS::IAM::Group",
            "Description": "Accountants will have access only to the billing section of AWS.",
            "Properties": {
                "GroupName": "Accountants",
                "Path": "/Department/Accountants/",
                "Policies": [
Scout2-Master-003-IAMGroups-Global-Wait.json#L6
            "Type": "AWS::IAM::Group",
            "Properties": {
                "GroupName": "BlockedUsers",
                "ManagedPolicyArns": [
                    { "Fn::ImportValue": "DenyAllPolicyArn" }
                ]
Identity-StandardGroups.json#L37
      "Type" : "AWS::IAM::Group",
      "Properties" : {
        "GroupName" : "Administrators",
        "Path" : "/",
        "ManagedPolicyArns" : [
          "arn:aws:iam::aws:policy/AdministratorAccess"
Identity-StandardGroups.json#L37
      "Type" : "AWS::IAM::Group",
      "Properties" : {
        "GroupName" : "Administrators",
        "Path" : "/",
        "ManagedPolicyArns" : [
          "arn:aws:iam::aws:policy/AdministratorAccess"
iam_user_with_two_additions.json#L18
      "Type": "AWS::IAM::Group",
      "Properties": {
        "GroupName": "groupA"
      }
    },

Parameters

Explanation in CloudFormation Registry

Creates a new group. For information about the number of groups you can create, see Limitations on IAM Entities in the IAM User Guide.

Frequently asked questions

What is AWS IAM Group Policy Attachment?

AWS IAM Group Policy Attachment is a resource for IAM of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS IAM Group Policy Attachment?

For Terraform, the kibalabs/nftoftheday, ministryofjustice/aws-root-account and mattjmcnaughton/personal-k8s source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the FluxAugur/serverless-infrastructure, ServerlessOpsIO/infrastructure and ServerlessOpsIO/infrastructure source code examples are useful. See the CloudFormation Example section for further details.