TF 0097 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
IAM policies should not be granted directly to users.
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| Service | iam |
| Provider | AWS |
Description
IAM policies are being attached directly to individual users rather than to groups or roles, leading to fragmented and complex access management. This practice increases the risk of users accumulating excessive or unintended permissions.
Impact
Directly assigning policies to users makes it difficult to audit and control permissions, raising the likelihood of privilege creep and accidental over-privileging. This can result in users retaining or gaining unauthorized access to sensitive resources, increasing the risk of security incidents.
Resolution
Grant policies at the group level instead.