How to Attach IAM Policies to Groups or Roles
Ensure IAM Policies Are Not Directly Attached to Users
If IAM policies are directly attached to users, it is very hard to manage because individual user permissions become so complex. Instead, you want to only attach IAM policies to groups or roles, then let the permissions of groups and roles stipulate users’ permissions. To ensure that IAM policies are only attached to groups or roles, you would perform the following steps:
- From the AWS Management Console, navigate to the IAM Dashboard, then click on the Groups section.
- When you click into a group, it will bring up a Summary page. The Users tab will show you what users are assigned to that specific group.
- When you move to the Permissions tab on the Summary page, you can see what policies are attached to that specific group. When a user is a part of a group, they are assigned whatever policies that are attached to that group.
On the other hand, if a policy that is stipulated as Attached Directly to a user, this is not best practice. This makes everything much more complex because a user would have IAM policies directly attached to it as well as attached from the groups that the user is associated with. To identify if IAM policies are directly attached to a user, you would perform the following steps:
- From the AWS Management Console, navigate to the IAM Dashboard, then click on the Users section.
- When you click into a user, it will bring up a Summary page. The Permissions tab will show you if any policies are Attached Directly to this user.
- Is the user also a part of a group? If so, the user will also be assigned any policies that attached to its groups. The Permissions tab will stipulate this type of policy as Attached From Group.
For a visual guide on how to verify if IAM policies are directly attached to groups or roles, watch the full demo. To learn more about managing IAM policies, read here.
So, we’re first going to need to log in to the AWS Management Console. Then, we’re going to need to go to the Identity and Access Management console. From here, we’re going to look at our users and then we’re going to look at groups and we’re going to see how we have permissions assigned. So, one of the important things that we’ve talked about is the idea of role-based access controls. We’re going to look at groups and look at how we have defined user access within the environment.
So, we can see here that we have an “Administrators” group, a “readonly” group, and an “S3bucketfullaccess” group. You can also see that you have users assigned to each of these groups. So, let’s look at the users that are assigned. We can see here that we have a user called “IAMPolicyDemo” that’s assigned to the “Administrators” group. They have that assigned. You can see that we have, here, the “S3bucketfullaccess” group and we can see that the “IAMPolicyDemo” user is also in that group. Let’s go look at the “Administrators” group and look at the permissions that are assigned there. As you can see, we have an attached policy here that is assigned to that group. Since that user is part of the group, they’re going to have the permissions that are assigned in that policy. Now, that looks like the right way to do it, but let’s go look at the actual users list.
Let’s go look at the “IAMPolicyDemo” user and we’re going to look at what’s assigned. So, we can see here that there is a problem because we have a directly attached policy to this user, but we also have the user in the groups, as well. So, this user has these permissions based on the groups, but they also have these permissions based on the directly attached policy. What we want to make sure of when we’re designing our IAM architecture is that we’re not directly attaching policies, because this becomes very, very hard to manage and it can also lead to scope issues with users’ permissions. So, we want to make sure that we’re using either groups or roles to define permissions to the users.