Ensure that a customer managed IAM policy is not directly attached to a user

If a managed IAM policy is directly attached to a user, it increases the security management overhead. Attach policy to a group or a role, instead of a user.