Ensure IAM Users Receive Permissions Only Through Groups

It is recommended that IAM policies be applied directly to groups and roles but not to users. IAM policies are the means by which privileges are granted to users, groups, or roles. By default, IAM users, groups, and roles have no access to AWS resources. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.

Risk Level: Low
Cloud Entity: IAM User
CloudGuard Rule ID: D9.AWS.IAM.20
Covered by Spectral: Yes
Category: Security, Identity, & Compliance


IamUser where not (name regexMatch /^<root_account>$/i ) should have managedPolicies isEmpty() and inlinePolicies isEmpty()


From Portal
To remove a direct association between a user and policy:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the left navigation pane, click on Users
  3. For each user:
    a. Select the user
    b. Click on the Permissions tab
    c. Expand Managed Policies
    d. Click Detach Policy for each policy
    e. Expand Inline Policies
    f. Click Remove Policy for each policy

To create an IAM group and assign a policy to it:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
  2. In the navigation pane, click Groups and then click Create New Group .
  3. In the Group Name box, type the name of the group and then click Next Step .
  4. In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click Next Step.
  5. Click Create Group

To add a user to a given group:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, click Groups
  3. Select the group to add a user to
  4. Click Add Users To Group
  5. Select the users to be added to the group
  6. Click Add Users

From TF
To add user to a group, add following:

resource "aws_iam_group_membership" "add_user_to_group_example" {
	users = [
	group = GROUP-NAME

From Command Line
To remove the specified managed policy from a specified user, run:

aws iam detach-user-policy --user-name USER-NAME --policy-arn POLICY-ARN

To attach a policy to IAM group, run:

aws iam attach-group-policy --group-name GROUP-NAME --policy-arn POLICY-ARN

To add a user to a group, run:

aws iam add-user-to-group --group-name GROUP-NAME --user-name USER-NAME


  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_create.html
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_add-remove-users.html
  3. https://docs.aws.amazon.com/cli/latest/reference/iam/add-user-to-group.html
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_group_membership

IAM User

An IAM user is an entity that you create in AWS to represent the person or service that uses it to interact with AWS. A user in AWS consists of a name and credentials.

Compliance Frameworks

  • AWS CIS Foundations v. 1.0.0
  • AWS CIS Foundations v. 1.1.0
  • AWS CIS Foundations v. 1.2.0
  • AWS CIS Foundations v. 1.3.0
  • AWS CIS Foundations v. 1.4.0
  • AWS CIS Foundations v. 1.5.0
  • AWS CIS Foundations v. 2.0.0
  • AWS CSA CCM v.3.0.1
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS GDPR Readiness
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset