Ensure that IAM policy is not directly attached to a user

If the IAM policy is directly attached to a user, it increases the security management overhead. Attach policy to a group or a role, instead of a user.

Risk Level: Low
Cloud Entity: AWS IAM Policy
CloudGuard Rule ID: D9.CFT.IAM.17
Covered by Spectral: Yes
Category: Security, Identity, & Compliance


AWS_IAM_Policy should not have Users


From CFT
Remove AWS::IAM::Policy Users property. Attach the policy to a role or a group instead.


  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_attach-policy.html

AWS IAM Policy

You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents.

Compliance Frameworks

  • AWS CloudFormation ruleset