Rule: IAM Groups, Users, and Roles Should Not Have Any Inline Policies
This rule ensures that IAM groups, users, and roles do not have any inline policies for improved security.
| Rule | IAM groups, users, and roles should not have any inline policies |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Low |
Rule Description
The rule/policy states that IAM groups, users, and roles should not have any inline policies for CISA-cyber-essentials. Inline policies are policies that are directly attached to an IAM entity (group, user, or role) instead of being managed separately as standalone policies. It is recommended to use managed policies instead of inline policies to ensure better governance and control over permissions.
Troubleshooting Steps
If inline policies are found for IAM groups, users, or roles related to CISA-cyber-essentials, follow these troubleshooting steps:
- 1.
Identify the IAM entities: Identify the specific IAM group(s), user(s), or role(s) that have inline policies related to CISA-cyber-essentials.
- 2.
Review the policy details: Review the content of the inline policies attached to the identified entities to understand their permissions and potential risks.
- 3.
Analyze the CISA-cyber-essentials requirements: Ensure that you understand the specific policy requirements related to CISA-cyber-essentials.
- 4.
Decide on necessary changes: Based on your analysis, determine if the inline policies should be removed or replaced with managed policies.
Neccessary Codes
No specific codes are required to understand or implement this rule. However, if you need to manage policies using AWS CLI, you can use the following commands:
- To identify IAM entities with inline policies:
aws iam list-entities-for-policy --policy-arn arn:aws:iam::123456789012:policy/CISA-cyber-essentials
- To remove an inline policy from an IAM entity:
aws iam delete-group-policy --group-name <group-name> --policy-name <policy-name> aws iam delete-user-policy --user-name <user-name> --policy-name <policy-name> aws iam delete-role-policy --role-name <role-name> --policy-name <policy-name>
- To create and manage managed policies:
aws iam create-policy --policy-name <policy-name> --policy-document file://policy.json aws iam attach-group-policy --group-name <group-name> --policy-arn <policy-arn> aws iam attach-user-policy --user-name <user-name> --policy-arn <policy-arn> aws iam attach-role-policy --role-name <role-name> --policy-arn <policy-arn>
Note: Replace
<group-name><user-name><role-name><policy-name><policy-arn>Step-by-Step Guide for Remediation
Follow these steps to remediate the policy violations related to CISA-cyber-essentials:
- 1.
Identify the IAM entities: Use the AWS Management Console or AWS CLI to identify the IAM group(s), user(s), or role(s) that have inline policies attached related to CISA-cyber-essentials.
- 2.
Review the policy details: Analyze the content of each inline policy to understand the permissions they grant and assess their alignment with CISA-cyber-essentials requirements.
- 3.
Replace inline policies with managed policies: Based on your analysis, decide whether to remove the inline policies or replace them with managed policies.
To remove an inline policy, follow these steps:
- Open the IAM console.
- Navigate to the respective IAM entity (group, user, or role).
- Select the entity and go to the "Permissions" tab.
- Click on the inline policy you want to remove.
- Click on the "Delete" button and confirm the action.
To create and attach a managed policy, follow these steps:
- Create the managed policy using the AWS Management Console or AWS CLI.
- Open the IAM console.
- Navigate to the respective IAM entity (group, user, or role).
- Select the entity and go to the "Permissions" tab.
- Click on the "Attach policies" button.
- Search and select the desired managed policy related to CISA-cyber-essentials.
- Click on the "Attach policy" button to attach the managed policy.
- 4.
Verify compliance: Validate that inline policies related to CISA-cyber-essentials are no longer attached to the IAM entities. Ensure that only managed policies are used to grant permissions.
By following these steps, you will successfully remediate the violation of having inline policies for IAM entities related to CISA-cyber-essentials.