IAM user has no inline or attached policies
iam_policy_attached_only_to_group_or_roles
IAM users have identity-based policies attached directly (managed or inline) instead of inheriting permissions via groups or roles.
Risk
Directly attached user policies hinder centralized control and cause privilege creep. If a user is compromised, excessive rights enable data exposure, resource tampering, and lateral movement, harming confidentiality and integrity. Revocation is error-prone, weakening separation of duties and auditability.
prowler aws --checks iam_policy_attached_only_to_group_or_roles
Recommendation
Assign permissions to groups (humans) and roles (workloads); avoid user-attached policies. Enforce least privilege, prefer federation and temporary credentials, and use tags or permissions boundaries to constrain scope. Review regularly to remove direct user policies and right-size access.
Remediation
- In AWS Console, go to IAM > Users and select the target user
- Open the Permissions tab
- Under Permissions policies, remove each attached policy
- Under Inline policies, delete each inline policy
- Confirm changes; the user should show no inline or attached policies
Source Code
Resource Type
AwsIamUser