IAM policies should not be attached to users

Description

Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity may reduce opportunity for a principal to inadvertently receive or retain excessive privileges.

Console Remediation Steps

  • Navigate to IAM.

  • In the left navigation, select Groups.

  • Click the Create New group button.

  • Enter a name for the group and click next.

  • From the policy list, select each policy that you want to apply to all members in that group.

  • Click Next Step > Create Group.

  • Select the group you created in the previous step.

  • From the Group Actions drop-down, select Add Users to Group.

  • Select the desired users and click Add Users.

  • Repeat the above steps until all users are attached to a respective group.

  • In the left navigation, select Users.

  • Select an user from the list.

  • In the Permissions tab, remove any policies that are attached directly to the user.

  • Repeat the above steps for all users.

CLI Remediation Steps

N/A