By using AWS re:Post, you agree to the Terms of Use
/Resolving the error "Ensure IAM policies are attached only to groups or roles"/

Resolving the error "Ensure IAM policies are attached only to groups or roles"


In essence I am working to clean up a bunch of concerning items in AWS. One of which is the error in the title. From my own research, it seems pretty straight forward, in essence goto the IAM console, open the user out of policy, copy down what their permissions are, goto Policies, create a new policy for those permissions, goto Roles or groups as needed create a role/group and attach the policy to it, Go back to the initial user section, and remove existing permissions and add a policy attached from a group, and put in the role/group with the newly made policy.

So that is my understanding of the process. Is it wrong? if so please elaborate.

Also since it looks like roles a groups can both be assigned policies, what is the best use case for both?

Thanks all in advanced for the assistance.

2 Answers


Thanks for the reply, it is helpful. I do see a lot of these have their permissions defined by JSON. Now several are identical except for the ARN for the specific S3 bucket that they are attached to.

We have data being pulled and dropped into a specific buckets (dozens of them) and individual users made to interact with each of these buckets, I believe this is all being accessed\used through custom code through Azure Devops.

How do I create a single policy and/or single group to cover these without giving extra permissions to users that shouldn't have them. Currently IAM user 1 has a policy json to give it permissions to s3 bucket 1, and IAM user 2 has a policy json to give it permissions to s3 bucket 2 but with identical permissions to their respective buckets. Can this be done, creating a single policy (covering the specific S3 permissions defined in the JSON) that I can apply to a group, OR individual users that will grant IAM User 1 to S3 bucket 1 but not Bucket 2, 3, 4 etc; that can then be put onto ALL the users that share these S3 access permissions?

I am trying to avoid making dozens of nearly identical policies to accommodate each of these user\bucket combos; that would also require making new policies each time a new user\bucket combo was made. Instead make it once and either apply it to a new user, or add the next new user to a group with this policy assigned, either way is fine.

Thanks again!

answered 19 days ago

I think your understanding is correct. This error is flagging that you have IAM policies attached directly to users. This makes it harder to keep track of who has what permissions, and keep them updated over time. If you want to keep using IAM users, then you should be using groups to assign them permissions.

Roles and groups both leverage identity policies, but perform very different purposes. Groups help you manage users, roles allow you to give short-term access to AWS (such as users, AWS services, etc).

answered 20 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions