---
title: IAM policies attached to user
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > IAM policies attached to user
---

# IAM policies attached to user

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `eafe4bc3-1042-4f88-b988-1939e64bf060`

**Cloud Provider:** AWS

**Platform:** Ansible

**Severity:** Medium

**Category:** Access Control

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/amazon/aws/iam_policy_module.html)

### Description{% #description %}

Attaching IAM policies directly to individual IAM users increases the risk of privilege sprawl, makes permissions harder to audit and revoke, and magnifies impact if a user's credentials are compromised.

For Ansible `amazon.aws.iam_policy` or `iam_policy` tasks, the `iam_type` property must be set to `group` or `role` rather than `user`. Resources missing the `iam_type` property or with `iam_type` set to `user` are flagged. Attach policies to groups or roles to centralize permission management and enable role-based access patterns.

Secure example (attach policy to a role):

```yaml
- name: Attach policy to role
  amazon.aws.iam_policy:
    name: my-policy
    policy_document: "{{ lookup('file', 'my-policy.json') }}"
    iam_type: role
    iam_name: my-role
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: Assign a policy called Admin to the administrators group
  amazon.aws.iam_policy:
    iam_type: group
    iam_name: administrators
    policy_name: Admin
    state: present
    policy_document: admin_policy.json
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: Assign a policy called Admin to user
  amazon.aws.iam_policy:
    iam_type: user
    iam_name: administrators
    policy_name: Admin
    state: present
    policy_document: admin_policy.json
```