Ensure IAM policies are attached only to groups or roles

1.16 Identity and Access Management (AWS CIS Benchmark).

Description

By default, IAM users, groups, and roles have no access to AWS resources. IAM policies allow certain privileges to be granted to users, groups, or roles.

It is recommended that IAM policies be applied directly to groups and roles but not users.

Create an IAM group and assign a policy to it via the AWS Management Console

Step 1. Log in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

Step 2. In the navigation pane, click on Groups and then click on Create New Group.

Step 3. In the "Group Name" box, type the name of the group and then click on Next Step.

Step 4. In the list of policies, select the checkbox for each policy that you want to apply to all members of the group. Then click on Next Step.

Step 5. Click on Create Group.

Step 6. Perform the following to add a user to a given group:

  • Log in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  • In the navigation pane, click on Groups.
  • Select the group you want to add a user to.
  • Click on Add Users To Group.
  • Select the users to be added to the group.
  • Click on Add Users.

Step 7. Perform the following to remove a direct association between a user and policy:

  • Log in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  • In the left navigation pane, click on Users.
  • For each user,
    a) Select the user,
    b) Select the "Permissions" tab,
    c) Expand "Managed Policies"
    d) Click on Detach Policy for each policy,
    e) Expand "Inline Policies,"
    f) Click on Remove Policy for each policy.