AWSOverview
IAM users are granted access to services, functions, and data through IAM policies. There are multiple ways to define policies for an user, such as:
- Add the user to an IAM group that has an attached policy.
- Attach an inline policy directly to an user.
- Attach a managed policy directly to an user.
Only the first implementation is recommended.
Assigning IAM policy only through groups simplifies permissions management to a single, flexible layer consistent with organizational functional roles. By simplifying permissions management, the likelihood of excessive permissions is reduced.
Remediation guidance
From Console
Perform the following to create an IAM group and assign a list of policies to it:
- Sign into the AWS console and open the IAM Dashboard.
- In the left navigation pane, click User groups and then click Create group.
- In the
User group namebox, type the name of the group. - In the list of policies, select the
check boxfor each policy that you want to apply to all members of the group (You can attach up to 10 policies to this user group). - Click Create group. Group is created with the list of permissions.
Perform the following to add a user to a given group:
- Sign into the AWS console and open the IAM Dashboard.
- In the left navigation pane, click User groups.
- Select the
Group nameto add an user to. - Click
Add usersto group. - Select the users to be added to the group.
- Click Add users. Users are added to the group.
Perform the following to remove a direct association between an user and the policy:
- Sign into the AWS console and open the IAM Dashboard.
- In the left navigation pane, click on Users.
- For each user:
- Select the user, it will take you to
Permissionstab. - Expand Permissions policies.
- Click
Xfor each policy and then click Remove (depending on policy type).
- Select the user, it will take you to
Multiple Remediation Paths
AWS
SERVICE-WIDE (RECOMMENDED when many resources are affected): Deploy centralized guardrails and remediation using AWS Config Conformance Packs and (if applicable) AWS Organizations SCPs.
aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml
ASSET-LEVEL: Apply the resource-specific remediation steps above to only the affected assets.
PREVENTIVE: Add CI/CD policy checks (CloudFormation/Terraform validation) before deployment to prevent recurrence.
References for Service-Wide Patterns
- AWS Config Conformance Packs: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
- AWS Organizations SCP examples: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html
Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
1. Contain at Service-Wide Scope First (Recommended)
- AWS: deploy/adjust organization conformance packs and policy guardrails.
aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml
2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
IAM Users receive permissions only through Groups
Connectors
Covered asset types
Expected check: eq []
iamUsers(where: { cloudProvider: "aws", iamPolicies_NOT: null }) {...AssetFragment}
