By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. You should apply IAM policies directly to groups and roles but not to users.
Assigning privileges at the group or role level reduces access management’s complexity as the number of users grows. Reducing access management complexity may in-turn, lessen the opportunity for a principal to receive or retain excessive privileges inadvertently.
See the CIS AWS Foundations Benchmark controls docs for console remediation steps.
16 Account Monitoring and Control