IAM policies should not be attached to users


Assigning privileges at the group or role level reduces the complexity of access management as the number of users grows. Reducing access management complexity may reduce opportunity for a principal to inadvertently receive or retain excessive privileges.

Console Remediation Steps

  • Navigate to IAM.

  • In the left navigation, select Groups.

  • Click the Create New group button.

  • Enter a name for the group and click next.

  • From the policy list, select each policy that you want to apply to all members in that group.

  • Click Next Step > Create Group.

  • Select the group you created in the previous step.

  • From the Group Actions drop-down, select Add Users to Group.

  • Select the desired users and click Add Users.

  • Repeat the above steps until all users are attached to a respective group.

  • In the left navigation, select Users.

  • Select a user from the list.

  • In the Permissions tab, remove any policies that are attached directly to the user.

  • Repeat the above steps for all users.

CLI Remediation Steps

To create a new group:

  • aws iam create-group --group-name <group name>

To attach a policy to the group:

  • aws iam attach-group-policy --group-name <group name> --policy-arn <ARN>

To add users to the group:

  • aws iam add-user-to-group --user-name <user name> --group-name <group name>

To detach a managed policy attached to a user:

  • aws iam detach-user-policy --user-name <user name> --policy-arn <ARN>

To delete an inline policy attached to a user:

  • aws iam delete-user-policy --user-name <user name> --policy-name <policy name>