Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

IAM Groups, Users, and Roles Should Not Have Any Inline Policies

This rule ensures that IAM groups, users, and roles do not have any inline policies.

RuleIAM groups, users, and roles should not have any inline policies
FrameworkFedRAMP Low Revision 4
Severity
Low

Rule Description: According to the FedRAMP Low Revision 4 security standards, IAM (Identity and Access Management) groups, users, and roles should not have inline policies. Inline policies are policies directly attached to individual IAM resources, such as groups, users, or roles, rather than being managed as separate policy documents. This rule aims to ensure compliance with the access control requirements and maintain a centralized and scalable approach to policy management.

Troubleshooting Steps: If inline policies are found for IAM groups, users, or roles, you can follow these troubleshooting steps to remediate the issue:

  1. 1.

    Identify the IAM resource(s) with inline policies: Start by identifying the specific groups, users, or roles that have inline policies attached.

  2. 2.

    Review the inline policies: Examine each inline policy to understand its scope, permissions, and potential conflicts with any existing managed policies.

  3. 3.

    Convert inline policies to managed policies: Create a new managed policy with the same permissions as the inline policy. Ensure the policy follows the principle of least privilege and is appropriately scoped. Remove the inline policy once the managed policy is created.

  4. 4.

    Attach the managed policy: Once the managed policy is created, attach it to the relevant IAM group, user, or role.

  5. 5.

    Test and validate: Verify that the access and permissions for the IAM resource(s) are still functioning as expected after applying the managed policy.

Necessary Code (if applicable): In certain cases, converting an inline policy to a managed policy may require you to write code using AWS CLI or API calls. Here's an example command to create a managed policy using AWS CLI:

aws iam create-policy --policy-name MyManagedPolicy --policy-document file://policy.json

Replace

MyManagedPolicy
with an appropriate name for your policy, and
policy.json
with the path to a JSON file containing the policy document.

Remediation Steps: To comply with the rule and remediate the presence of inline policies, follow these step-by-step instructions:

  1. 1.

    Review existing inline policies: Identify all IAM groups, users, and roles that currently have inline policies attached.

  2. 2.

    Convert inline policies to managed policies:

    • Create a new managed policy using the AWS Management Console, AWS CLI, or API calls.
    • Ensure the policy document for the managed policy includes the necessary permissions required for the IAM resource.
    • Take into account the principle of least privilege when defining the policy.
  3. 3.

    Detach inline policies and attach managed policies:

    • For each IAM group, user, or role with inline policies, detach the inline policy.
    • Attach the corresponding managed policy to the resource.
    • Repeat this step for all identified IAM resources.
  4. 4.

    Validate the changes: Test the access and permissions of the IAM resources to ensure they function correctly with the newly attached managed policies.

By following these steps, you will have successfully remediated the presence of inline policies and brought your IAM configuration in compliance with the FedRAMP Low Revision 4 requirements.

Is your System Free of Underlying Vulnerabilities?
Find Out Now