IAM policies should not be attached to users

Description

Assigning privileges at the group or role level reduces the complexity of access management as the number of users grows. Reducing access management complexity may reduce opportunity for a principal to inadvertently receive or retain excessive privileges.

Remediation Steps

AWS Console

  • Navigate to IAM.

  • In the left navigation, select User groups.

  • Click the Create group button.

  • Enter a name for the group and click next.

  • Select the desired users to add to the group.

  • From the policy list, select each policy that you want to apply to all members in that group.

  • Click Create group.

  • In the left navigation, select Users.

  • Select a user from the list.

  • In the Permissions tab, remove any policies that are attached directly to the user.

  • Repeat the above steps for all users.

AWS CLI

To create a new group:

  • aws iam create-group --group-name <group name>

To attach a policy to the group:

  • aws iam attach-group-policy --group-name <group name> --policy-arn <ARN>

To add users to the group:

  • aws iam add-user-to-group --user-name <user name> --group-name <group name>

To detach a managed policy attached to a user:

  • aws iam detach-user-policy --user-name <user name> --policy-arn <ARN>

To delete an inline policy attached to a user:

  • aws iam delete-user-policy --user-name <user name> --policy-name <policy name>

CloudFormation

JSON

JSON Example Configuration
{
  "Group01": {
    "Type": "AWS::IAM::Group"
  },
  "ValidPolicy01": {
    "Type": "AWS::IAM::Policy",
    "Properties": {
      "Groups": [
        { "Ref" : "Group01" }
      ],
      "PolicyName": "valid_policy_01",
      "PolicyDocument": {
        "Version": "2012-10-17",
        "Statement": {
          "Effect": "Allow",
          "Action": [
            "ec2:StartInstances"
          ],
          "Resource": [
            "*"
          ]
        }
      }
    }
  }
  # other required fields here
}

YAML

YAML Example Configuration
Group01:
  Type: AWS::IAM::Group
# other required fields here

ValidPolicy01:
  Type: AWS::IAM::Policy
  Properties:
    Groups:
    - !Ref Group01
    PolicyName: valid_policy_01
    PolicyDocument:
      Version: '2012-10-17'
      Statement:
        Effect: Allow
        Action:
        - 'ec2:StartInstances'
        Resource:
        - '*'
# other required fields here

Terraform

Example Configuration

resource "aws_iam_group_policy" "example" {
  name  = "my_group_policy"
  group = aws_iam_group.my_group.name
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "s3:ListAllMyBuckets",
        ]
        Effect = "Deny"
      },
    ]
  })
  # other required fields here
}

resource "aws_iam_group" "my_group" {
  name = "my_group"
  path = "/users/"
}