Ensure IAM policies are attached only to groups or roles

It is recommended that IAM policies be applied directly to groups and roles but not to users. IAM policies are the means by which privileges are granted to users, groups, or roles. By default, IAM users, groups, and roles have no access to AWS resources. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.

Risk Level: Low
Cloud Entity: AWS Identity and Access Management (IAM)
CloudGuard Rule ID: D9.TF.AWS.IAM.07
Covered by Spectral: No
Category: Security, Identity, & Compliance


aws_iam_policy_attachment should have users isEmpty()


  1. Run aws iam get-user-policy --user-name <user> 2. For each policy run aws iam delete-user-policy --user-name <user> --policy-name <policy>

AWS Identity and Access Management (IAM)

AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
IAM is a feature of your AWS account offered at no additional charge. You will be charged only for use of other AWS services by your users.

Compliance Frameworks

  • Terraform AWS CIS Foundations