IAM policies should not be attached to users


Assigning privileges at the group or role level reduces the complexity of access management as the number of users grows. Reducing access management complexity may reduce opportunity for a principal to inadvertently receive or retain excessive privileges.

Remediation Steps

AWS Console

  • Navigate to IAM.

  • In the left navigation, select User groups.

  • Click the Create group button.

  • Enter a name for the group and click next.

  • Select the desired users to add to the group.

  • From the policy list, select each policy that you want to apply to all members in that group.

  • Click Create group.

  • In the left navigation, select Users.

  • Select a user from the list.

  • In the Permissions tab, remove any policies that are attached directly to the user.

  • Repeat the above steps for all users.


To create a new group:

  • aws iam create-group --group-name <group name>

To attach a policy to the group:

  • aws iam attach-group-policy --group-name <group name> --policy-arn <ARN>

To add users to the group:

  • aws iam add-user-to-group --user-name <user name> --group-name <group name>

To detach a managed policy attached to a user:

  • aws iam detach-user-policy --user-name <user name> --policy-arn <ARN>

To delete an inline policy attached to a user:

  • aws iam delete-user-policy --user-name <user name> --policy-name <policy name>


Example Configuration

resource "aws_iam_group_policy" "example" {
  name  = "my_group_policy"
  group = aws_iam_group.my_group.name
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
        Action = [
        Effect = "Deny"
  # other required fields here

resource "aws_iam_group" "my_group" {
  name = "my_group"
  path = "/users/"