How to Find AWS IAM Policies Not Attached to Groups or Roles

By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles.

It is recommended that IAM policies be applied directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity may in turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.

info

This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity low.

Prerequisites

This guide assumes that you have already installed and configured Fix Inventory to collect your AWS resources.

Directions

1. Execute the following search command in Fix Inventory Shell:

   > search is(aws_iam_user) {attached_policy: --> is(aws_iam_policy)} user_policies!=[] or attached_policy!=null
   ​kind=aws_iam_access_key, ..., region=fixinventory-poweruser
   ​kind=aws_iam_access_key, ..., account=poweruser-team

2. Pipe the search command into the dump command:

   > search is(aws_iam_user) {attached_policy: --> is(aws_iam_policy)} user_policies!=[] or attached_policy!=null | dump
   ​reported:
   ​  id: /aws/iam/123
   ​  name: some-name
   ​  ctime: '2022-12-05T22:53:14Z'
   ​  kind: aws_iam_access_key
   ​  age: 2mo28d

   The command output will list the details of all non-compliant aws_iam_access_key resources.

Remediation

• Remove any policy attached directly to the user.
• You can find all policies by dumping the user and look for all user_policies and attached_policy.
• Use groups or roles instead.

note

Please refer to the AWS IAM documentation for details.

Further Reading

• Search
• Command-Line Interface
• aws_iam_access_key Resource Data Model

External Links

• CIS Amazon Web Services Benchmarks
• AWS Documentation