Profile Applicability:

Level 1

Description:

AWS IAM users should receive permissions only through IAM groups, rather than having directly attached policies or inline policies.AWS provides multiple ways to assign policies to users:

  1. Inline user policies (directly attached to a user). 

  2. Managed policies attached directly to a user. 

  3. Group-based policies (Recommended). 

  4. Group-based inline policies. 

Rationale:

  • Centralized access management improves security and reduces privilege creep.

  • Groups ensure least privilege by assigning roles rather than user-specific access.

  • Easier permissions audits since policies are applied at the group level.

  • Reduces risk of excessive permissions or policy misconfigurations.

Impact:

  • Failure to enforce group-based permissions may lead to users with excessive or outdated privileges.

  • User-specific policies increase complexity, making it harder to audit permissions.

  • Manually managing policies at the user level is error-prone and inefficient.

Default Value:

By default, AWS allows:

  • IAM users to have directly attached policies.

  • IAM users to have inline policies.

  • IAM users are not required to belong to a group.

Pre-Requisites:

  1. IAM Administrator Access:

    • Requiredpermissions: iam:ListUsers, iam:ListAttachedUserPolicies, iam:ListUserPolicies, iam:RemoveUserFromGroup.

  2. Access to AWS CloudTrail (optional):

    • To monitor changes to IAM user permissions.

  3. IAM Policy Enforcement:

    • Implement AWS Organizations Service Control Policies (SCPs) to enforce group-based permissions only.

Remediation:
Test Plan:
Using Console Steps:

  1. Login to AWS Console as an IAM Administrator.

  2. Open the IAM Console → Click Users.

                 

  1. Click on an IAM user's name → Go to the Permissions tab.                        

               

  1. Expand Permissions policies:

    • If any policies are attached directly to the user, they are non-compliant.

  2. Repeat this for all IAM users.

Using Command Line  Steps:

  • List all IAM users:
 aws iam list-users --query 'Users[*].UserName' --output text
  • Check each IAM user for directly attached policies:
aws iam list-attached-user-policies --user-name <iam_user>

If any policies are returned, the user is non-compliant.

  • Check each IAM user for inline policies:
aws iam list-user-policies --user-name <iam_user>

If any policies are returned, the user is non-compliant.

  • Repeat for all IAM users.

Implementation Steps:

Step 1: Create an IAM Group and Assign a Policy

Using Console Steps

  1. Login to AWS Console as an IAM Administrator.

  2. Open IAM Console → Click Groups.

                                 

  1. Click Create New Group.                        

  2. Enter a Group Name → Click Next Step.                  

  3. Select the appropriate IAM Policies to attach to the group.

                   

  1. Click Create Group.    

Using Command Line Steps

  • Create an IAM group:
aws iam create-group --group-name <group_name>
  • Attach a policy to the group:
 aws iam attach-group-policy --group-name <group_name> --policy-arn arn:aws:iam::aws:policy/<policy_name>

Step 2: Add Users to the IAM Group

Using Console Steps

  1. Login to AWS Console as an IAM Administrator.

  2. Open IAM Console → Click Groups.

  3. Select the group to add users to.

  4. Click Add Users To Group.

           

  1. Select the users to be added.

  2. Click Add Users

              .

Command Line Steps

  • Add an IAM user to the group:
 aws iam add-user-to-group --group-name <group_name> --user-name <iam_user>
  • Confirm user is part of the group:
 aws iam list-groups-for-user --user-name <iam_user>

Step 3: Remove Direct Policy Attachments from IAM Users

Console Steps

  1. Login to AWS Console as an IAM Administrator.

  2. Open IAM Console → Click Users.

  3. Select a user with directly attached policies.    

  4. Click Permissions tab → Expand Permissions policies.

               

  1. Click X next to each directly attached policy → Click Detach.

               

Command Line Steps

  • Detach directly attached policies from a user:
aws iam detach-user-policy --user-name <iam_user> --policy-arn arn:aws:iam::aws:policy/<policy_name>
  • Remove inline policies from a user:
 aws iam delete-user-policy --user-name <iam_user> --policy-name <policy_name>

Backout Plan:

If an IAM user requires a direct policy temporarily: Reattach the necessary policy:

aws iam attach-user-policy --user-name <iam_user> --policy-arn arn:aws:iam::aws:policy/<policy_name>

  • Ensure that group-based permissions are established before revoking the temporary policy.

References: