AWS-009 Amazon Web Services (AWS)

Permissions are granted via groups/roles, not directly to users.

Permissions are granted via groups/roles, not directly to users.

Domain
Amazon Web Services (AWS)
Area
IAM
Automated / manual
Manual

Risk if it fails

Direct grants are hard to track and clean up.

Scattered per-user permissions make it impossible to know who can do what, so excessive access goes unnoticed until an attacker abuses it.

How Tess tests it

1 test — each concludes only on cited evidence.

Permissions are granted via groups/roles, not directly to users.

Manual
Procedure
List users and check for inline/attached policies bound directly to users.

Read-only command 

Manual — review IAM console 'Users' tab and confirm permissions inherit from groups/roles.

More in Amazon Web Services (AWS)

AWS-001 Root account MFA is enabled. AWS-002 No access keys exist on the root account. AWS-003 Root account is not used for day-to-day activity. AWS-004 Strong IAM password policy is enforced.

Want Tess to test AWS-009 against your evidence?

Book a demo