corner gradient

Ensure IAM policies are attached only to groups or roles

By assigning privileges at the level of groups or roles, your team is able to reduce the complexity of overall access management as the number of users continues to grow.
Ensure IAM policies are attached only to groups or roles

As your platform grows, you will likely gain more users over time. To help reduce the complexity of managing the growing users, we must ensure the assignment of rights happens at the group-level. IAM users, groups, and roles have no direct access to AWS resources by default. IAM policies are the mechanisms for granting rights to users, groups, and roles. Reducing the complexity of access control may lessen the chances of a primary user receiving or keeping excessive rights by accident. Individual permissions expose a platform's user management capabilities to vulnerabilities and hazards. Permissions based on groups and roles give you more control over who has access to what in your environment.


What is an IAM Policy?

An IAM user is an entity you establish in AWS to represent the person or service who interacts with AWS through it. In AWS, a user is made up of a name and credentials. IAM policies are simply access credentials and instructions assigned to each individual or group of individuals.


  1. IAM policies should be applied directly to groups and roles, not to users, according to our recommendations. One way to do this is to remove direction associations between users and policies.
  2.  Open the IAM console in the AWS Management Console after logging in.
  3. Click "Users" in the left menu pane.
  4. Begin by selecting the user for each user.
  5. Expand Managed Policies after clicking the Permissions tab.
  6. For each policy, choose "Detach Policy." Expand Inline Policies from there.
  7. For each policy, click "Remove Policy."

 To create an IAM group and assign policies:

  1. Open the IAM console in the AWS Management Console after logging in.
  2. Click "Groups" in the navigation pane, then "Create New Group."
  3. Type the group's name in the Group Name field and then click "Next Step."
  4. Select the check box for each policy that you wish to apply to all members of the group from the list of policies. Then select "Next Step" from the drop-down menu.
  5. Select "Create Group" from the drop-down menu.


What do you think about this use case? Tell us what you think in the comments below.



No comments yet! Why don't you be the first?
Add a comment

Get started with MatosSphere today

Get Demo