Ensure IAM Users Receive Permissions Only Through Groups

It is recommended that IAM policies be applied directly to groups and roles but not to users. IAM policies are the means by which privileges are granted to users, groups, or roles. By default, IAM users, groups, and roles have no access to AWS resources. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.