Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: IAM User Should Not Have Inline or Attached Policies

This rule ensures IAM users do not have any inline or attached policies for enhanced security measures.

RuleIAM user should not have any inline or attached policies
FrameworkCISA-cyber-essentials
Severity
Low

IAM User Policy Restriction for CISA Cyber Essentials

Rule Description

IAM (Identity and Access Management) is a service provided by AWS (Amazon Web Services) that enables you to manage user access to AWS resources. To ensure compliance with CISA (Cybersecurity and Infrastructure Security Agency) Cyber Essentials, it is essential to restrict IAM users from having any inline or attached policies related to CISA Cyber Essentials.

Troubleshooting Steps

There are a few troubleshooting steps that can be taken if an IAM user has inline or attached policies related to CISA Cyber Essentials:

  1. 1.

    Identify the affected IAM user(s): Determine which IAM user(s) have inline or attached policies related to CISA Cyber Essentials. This can be done by reviewing the IAM user's policies in the AWS Management Console or using AWS CLI commands.

  2. 2.

    Verify the policy attachments: Check the inline and attached policies of the identified IAM user(s) to confirm if they contain any policies related to CISA Cyber Essentials. Ensure that the policy names or contents align with the CISA Cyber Essentials guidelines.

  3. 3.

    Remove the inline or attached policy: Remove the inline or attached policy that violates the restriction for CISA Cyber Essentials. This can be done by modifying the IAM user's permissions in the AWS Management Console or using AWS CLI commands.

  4. 4.

    Test the policy restriction: After removing the inline or attached policy, validate that the IAM user no longer has any policies related to CISA Cyber Essentials.

Code Examples

If it is determined that an IAM user has a policy violation related to CISA Cyber Essentials, the following code examples can be used to remove the inline or attached policy:

AWS CLI Command to List Attached Policies

aws iam list-attached-user-policies --user-name <IAM_USER_NAME>

AWS CLI Command to Detach a Policy

aws iam detach-user-policy --user-name <IAM_USER_NAME> --policy-arn <POLICY_ARN>

AWS CLI Command to List Inline Policies

aws iam list-user-policies --user-name <IAM_USER_NAME>

AWS CLI Command to Delete an Inline Policy

aws iam delete-user-policy --user-name <IAM_USER_NAME> --policy-name <POLICY_NAME>

Ensure to replace

<IAM_USER_NAME>
,
<POLICY_ARN>
, and
<POLICY_NAME>
with the appropriate values specific to your setup.

Remediation Guide

To enforce the IAM user policy restriction for CISA Cyber Essentials, follow the provided step-by-step guide:

  1. 1.

    Identify the IAM user(s) who may have inline or attached policies related to CISA Cyber Essentials.

  2. 2.

    List the attached policies using the AWS CLI command:

    aws iam list-attached-user-policies --user-name <IAM_USER_NAME>
    
  3. 3.

    If any attached policies violate the CISA Cyber Essentials restriction, detach them using the AWS CLI command:

    aws iam detach-user-policy --user-name <IAM_USER_NAME> --policy-arn <POLICY_ARN>
    
  4. 4.

    List the inline policies using the AWS CLI command:

    aws iam list-user-policies --user-name <IAM_USER_NAME>
    
  5. 5.

    If there are any inline policies that violate the CISA Cyber Essentials restriction, delete them using the AWS CLI command:

    aws iam delete-user-policy --user-name <IAM_USER_NAME> --policy-name <POLICY_NAME>
    
  6. 6.

    Repeat steps 2-5 for each IAM user who has inline or attached policies related to CISA Cyber Essentials.

  7. 7.

    Test the policy restriction by validating that the IAM user(s) no longer have any policies related to CISA Cyber Essentials.

By following this guide, you can effectively enforce the restriction on IAM users not having any inline or attached policies for CISA Cyber Essentials.

Is your System Free of Underlying Vulnerabilities?
Find Out Now