Ensure IAM Users receive permissions only through Groups

From Console

Perform the following to create an IAM group and assign a list of policies to it:

1. Sign into the AWS console and open the IAM Dashboard.
2. In the left navigation pane, click User groups and then click Create group.
3. In the User group name box, type the name of the group.
4. In the list of policies, select the check box for each policy that you want to apply to all members of the group (You can attach up to 10 policies to this user group).
5. Click Create group. Group is created with the list of permissions.

Perform the following to add a user to a given group:

1. Sign into the AWS console and open the IAM Dashboard.
2. In the left navigation pane, click User groups.
3. Select the Group name to add an user to.
4. Click Add users to group.
5. Select the users to be added to the group.
6. Click Add users. Users are added to the group.

Perform the following to remove a direct association between an user and the policy:

1. Sign into the AWS console and open the IAM Dashboard.
2. In the left navigation pane, click on Users.
3. For each user:
   • Select the user, it will take you to Permissions tab.
   • Expand Permissions policies.
   • Click X for each policy and then click Remove (depending on policy type).

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

AWS

Use AWS Organizations guardrails, AWS Config rules or conformance packs where they fit, approved account baselines, and IaC modules so new resources inherit the secure setting.

Operational rollout

1. Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
2. Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
3. Re-scan and track approved exceptions with an owner and expiry date.