| Plugin Title | No User IAM Policies |
| Cloud | AWS |
| Category | IAM |
| Description | Ensures IAM policies are not connected directly to IAM users |
| More Info | To reduce management complexity, IAM permissions should only be assigned to roles and groups. Users can then be added to those groups. Policies should not be applied directly to a user. |
| AWS Link | http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-groups-for-permissions |
| Recommended Action | Create groups with the required policies, move the IAM users to the applicable groups, and then remove the inline and directly attached policies from the IAM user. |
- Log in to the AWS Management Console.
- Select the "Services" option and search for IAM.
- Scroll down the left navigation panel and select "Users" under "Access management".
- Click on the IAM User name that you want to inspect.
- Scroll down on the IAM user configuration page and click on the "Permissions" tab.
- Ensure that there are no policies "Attached directly".
- If there are any policies "Attached directly" then they should be removed and assigned through either a group or role.
- Repeat steps 4 – 7 for all IAM users.
