Ensure IAM Users Receive Permissions Only Through Groups

IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user 1) Edit the user policy directly, aka an inline, or user, policy. 2) attach a policy directly to a user. 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended.

Risk Level: Low
Cloud Entity: AWS Identity and Access Management (IAM)
CloudGuard Rule ID: D9.TF.AWS.IAM.06
Covered by Spectral: No
Category: Security, Identity, & Compliance


aws_iam_user_policy should have policy isEmpty()


  1. aws iam list-users --query 'Users[*].UserName' --output text 2. For each user returned, run the following command to determine if any policies are attached to them 2.1. aws iam list-attached-user-policies --user-name <iam_user> 2.2. aws iam list-user-policies --user-name <iam_user> 3. If any policies are returned, the user has an inline policy or direct policy attachment

AWS Identity and Access Management (IAM)

AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
IAM is a feature of your AWS account offered at no additional charge. You will be charged only for use of other AWS services by your users.

Compliance Frameworks

  • Terraform AWS CIS Foundations