Attaching IAM Policies to Groups or Roles

Do Not Attach IAM Policies to Users
Understanding policy architecture within AWS IAM is a key in supporting the principle of least privilege. It is best practice to only attach IAM policies to groups or roles – not users. The CIS AWS Foundations Benchmark explains that assigning privileges at the group or role level instead of the user level will reduce the complexity of access management as the number of your users scales, plus stricter access management will reduce the opportunity inadvertently excessive privileges.

For more information, visit the AWS documentation for managing IAM policies

AWS Identity and Access Management is probably the key feature that we point out the most when we’re talking about your AWS security posture. Understanding your policy assignments and your policy architecture is critical to ensuring you have a secure environment. One of the best practices that needs to be implemented in your environment is ensuring that AWS IAM policies are attached only to roles and groups and not typically attached to users. As such, you can log into your AWS Management Console, look at your user assignments, and understand which policies are attached to each user.

Related Videos