AWS IAM Policy Is Not Assigned Directly To User

This policy validates that there are no IAM policies assigned directly to users instead of being assigned to an IAM group or role.

Assigning an IAM policy to users directly increases complexity of access management and vastly increases the difficulty in maintaining proper least access controls in moderate to large size AWS accounts.


To remediate this, for each IAM policy assigned directly to a user create a corresponding AWS role/group or roles/groups as appropriate. Then apply those IAM policies to the role/group or roles/groups just created. Finally move the users into the new groups/roles as appropriate and remove the IAM policy from the user.

Groups are a management convenience used to group permissions for users that need similar permissions. Roles are for delegating permissions tasks to a specific entity (role), which users can then explicitly assume to perform tasks. In these instructions, we will show how to move an IAM policy from a user to a group, then move that user to that group. For more information on roles vs. groups, see the reference section below.


  • CIS AWS Benchmark 1.16 "Ensure IAM policies are attached only to groups or roles".

Last updated