IAM policies attached to groups/roles, not users
Description
IAM policies attached to groups or roles rather than individual users.
⚠️ Risk Impact
Per-user policies create unauditable permission sprawl. Group/role-based access is reviewable + scales.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as medium-severity findings with remediation guidance.
🔧 Remediation
Audit user-attached policies. Move to group or role attachments.
💀 Real-World Attack Scenario
A startup's IAM was 27 users each with custom policies accumulated over 3 years. When a user left + permissions needed reassignment, nobody could tell which permissions were needed vs leftover. Eventually they over-granted to 'be safe'; over-privileged user was phished, breach followed.
💰 Cost of Non-Compliance
Permission-sprawl breaches: avg $4.45M (IBM 2024).
📋 Audit Questions
- 1.Policies attached to users vs groups/roles?
- 2.Per-role permissions documented?
- 3.How are permissions inherited?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔User-attached policies for 'one-off' needs that become permanent
- ⛔Group memberships overlap chaotically
- ⛔No role-based access matrix
📈 Business Value
Group/role-based access is foundational to scalable access management.
⏱️ Effort Estimate
20-40 hours initial reorganization
EchelonGraph identifies user-attached policies
🔗 Cross-Framework References
Automate CIS AWS 1.15 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →