Drata validates that IAM users are granted permissions only through groups and that there are no users with in line policy or direct policy attachments.
IAM users are granted access to services, functions, and data through IAM policies.
Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.
ASSOCIATED DRATA CONTROL
This test is part of the Principle of Least Privilege control (DCF-776) that ensures your company assigns permissions through groups or roles based on the principle of least privilege and limits the use of wild-card permissions or broad-access patterns.
WHAT TO DO IF A TEST FAILS
If Drata finds that there are AWS IAM users with an inline policy or direct policy attachment, the test will fail. Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.
STEPS TO REMEDIATE
Create an IAM group and assign policies to it based on the principle of least privilege.
Add failing users to the IAM group.
Remove the direct association between the AWS IAM users and the access policies for the failing users who had in line policy or direct policy attachments.
Center for Internet Security (CIS)
This test aligns with the Center for Internet Security’s (CIS) foundation benchmarks which provides prescriptive guidance for establishing a secure baseline configuration for Amazon Web Services. To learn more, refer to the Center for Internet Security (CIS) section.