iCompaas Support

Profile Applicability:
Level 1

Description:
This control ensures that AWS Identity and Access Management (IAM) policies are attached only to groups or roles, not directly to individual IAM users. Attaching policies directly to users increases administrative overhead and risks inconsistent access control management. Using groups and roles promotes centralized permission management, scalability, and adherence to the principle of least privilege.

Rationale:
Attaching IAM policies directly to users makes it harder to maintain and audit permissions across an organization. As the number of users grows, direct attachments can lead to excessive privileges, misconfigurations, and non-compliance with internal security standards. Assigning policies to groups (for user-based permissions) or roles (for service and cross-account access) allows consistent policy enforcement, easier management, and streamlined de-provisioning. This aligns with best practices and frameworks such as CIS, SOC 2, ISO 27001, and NIST 800-53.

Impact:
Positive Impact: Simplifies permission management, reduces human error, and enforces consistent access control practices.
Negative Impact: May require refactoring of existing permissions if policies are currently attached directly to users.

Default Value:
By default, AWS allows policies to be attached directly to IAM users, groups, or roles.

Pre-Requisite:

• IAM permissions required: iam:ListUsers, iam:ListAttachedUserPolicies, iam:DetachUserPolicy, iam:AttachGroupPolicy, iam:AttachRolePolicy.
  
  

Test Plan 
Using AWS Console:

1. Sign in to the AWS Management Console with administrative privileges.

2. Navigate to IAM → Users.

3. For each user:

   • Select the user and go to the Permissions tab.

   • Check for any managed policies listed under “Permissions policies.”

4. If a policy is attached directly to a user (not inherited from a group or role), the user is non-compliant.
   
   

Implementation Plan 
Using AWS Console:

1. Navigate to IAM → Users.

2. Select a user with directly attached policies.

3. Go to the Permissions tab and note the attached policy names.

4. Click Remove permissions or Detach policy for each directly attached policy.

5. Create or identify a group that reflects the user’s required access level:

   • Go to IAM → Groups → Create group.

   • Attach the same policies to the group.

6. Add the user to the appropriate group:

   • Select IAM → Groups → [Group Name] → Add users to group.

7. If the access is service-specific (e.g., EC2, Lambda, S3), assign a role instead of a group.

8. Verify that the user’s effective permissions remain correct and are inherited from the group or role.
   
   

Backout Plan:

1. If removing a directly attached policy disrupts necessary access, temporarily reattach the policy to the user.

2. Document the exception and reassign it to a group or role as soon as possible to restore compliance.
   
   

References:

• AWS IAM Best Practices

• CIS AWS Foundations Benchmark v2.0.0 – Control 1.22

• AWS Security Best Practices Whitepaper

• NIST SP 800-53 Rev. 5 – AC-2: Account Management