IAM policies should not be granted directly to users.
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | iam |
| Provider | AWS |
Description#
IAM policies are being attached directly to individual users rather than to groups or roles, leading to fragmented and complex access management. This practice increases the risk of users accumulating excessive or unintended permissions.
Impact#
Directly assigning policies to users makes it difficult to audit and control permissions, raising the likelihood of privilege creep and accidental over-privileging. This can result in users retaining or gaining unauthorized access to sensitive resources, increasing the risk of security incidents.
Resolution#
Grant policies at the group level instead.