Skip to content

IAM policies are not only attached to Groups and Roles

Description

By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles.

Assigning privileges at the group or role level reduces the complexity of access management as the number of users increase. Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.

We recommend that IAM policies are applied directly to groups and roles, but not to users.

Fix - Buildtime

CloudFormation

  • Resource: AWS::IAM::Policy
  • Arguments: Properties.Users
Resources:
  ExamplePolicy:
    Type: 'AWS::IAM::Policy'
    Properties:
      ...
-     Users:
-       - example_user