IAM Users with IAM Policies Attached

Tenacity Id

Risk Level




Last Updated:

April 21, 2022

An Identity Access and Management (IAM) user has IAM policies directly attached to it. Attaching policies directly to IAM users can create unnecessary complexity, is difficult to manage, and can mask mistakes where users may have an unintended elevation of privileges. IAM policies should be attached to an IAM group or role. Remove policies directly attached to IAM users and use IAM groups or roles with the appropriate IAM policies attached.