---
names:
  full: AWS IAM User has inline or directly attached policies
  contextual: User has inline or directly attached policies
description: |-
  IAM users are granted access to services, functions, and data through IAM policies. There are four ways to define policies for a user:
   1) Edit the user policy directly, aka an inline, or user, policy.
   2) attach a policy directly to a user.
   3) add the user to an IAM group that has an attached policy.
   4) add the user to an IAM group that has an inline policy.
   Only the third implementation is recommended.
type: COMPLIANCE_POLICY
categories:
  - SECURITY
frameworkMappings:
  - "/frameworks/cis-aws-v7.0.0/02/13"
  - "/frameworks/cloudaware/identity-and-access-governance/user-account-management"
  - "/frameworks/aws-fsbp-v1.0.0/iam/02"
  - "/frameworks/aws-fsbp-v1.0.0/iam/21"
  - "/frameworks/aws-well-architected/cost/02/04"
  - "/frameworks/aws-well-architected/sec/03/02"
similarPolicies:
  awsSecurityHub:
    - name: "[IAM.2] IAM users should not have IAM policies attached"
      url: "https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html#iam-2"
  cloudConformity:
    - url: https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/IAM/receive-permissions-via-groups-only.html
      name: Receive Permissions via IAM Groups Only
  internal:
    - dec-x-4157c58a