IAM User Has Attached Policies

Overview

IAM users should only receive permissions through groups. IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy.

Only the third implementation is recommended. Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.

Vendor

AWS

Cloud Service

IAM

CIS AWS v1.5.0 1.15, IAM.2

References

http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html, http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html

Severity

Item Types

AWS::IAM::User

Overview​

Vendor​

Cloud Service​

Related Controls​

References​

Severity​

Item Types​