This rule ensures that IAM groups, users, and roles do not have any inline policies.
Rule | IAM groups, users, and roles should not have any inline policies |
Framework | FedRAMP Low Revision 4 |
Severity | ✔ Low |
Rule Description: According to the FedRAMP Low Revision 4 security standards, IAM (Identity and Access Management) groups, users, and roles should not have inline policies. Inline policies are policies directly attached to individual IAM resources, such as groups, users, or roles, rather than being managed as separate policy documents. This rule aims to ensure compliance with the access control requirements and maintain a centralized and scalable approach to policy management.
Troubleshooting Steps: If inline policies are found for IAM groups, users, or roles, you can follow these troubleshooting steps to remediate the issue:
Identify the IAM resource(s) with inline policies: Start by identifying the specific groups, users, or roles that have inline policies attached.
Review the inline policies: Examine each inline policy to understand its scope, permissions, and potential conflicts with any existing managed policies.
Convert inline policies to managed policies: Create a new managed policy with the same permissions as the inline policy. Ensure the policy follows the principle of least privilege and is appropriately scoped. Remove the inline policy once the managed policy is created.
Attach the managed policy: Once the managed policy is created, attach it to the relevant IAM group, user, or role.
Test and validate: Verify that the access and permissions for the IAM resource(s) are still functioning as expected after applying the managed policy.
Necessary Code (if applicable): In certain cases, converting an inline policy to a managed policy may require you to write code using AWS CLI or API calls. Here's an example command to create a managed policy using AWS CLI:
aws iam create-policy --policy-name MyManagedPolicy --policy-document file://policy.json
Replace
MyManagedPolicy
with an appropriate name for your policy, and policy.json
with the path to a JSON file containing the policy document.Remediation Steps: To comply with the rule and remediate the presence of inline policies, follow these step-by-step instructions:
Review existing inline policies: Identify all IAM groups, users, and roles that currently have inline policies attached.
Convert inline policies to managed policies:
Detach inline policies and attach managed policies:
Validate the changes: Test the access and permissions of the IAM resources to ensure they function correctly with the newly attached managed policies.
By following these steps, you will have successfully remediated the presence of inline policies and brought your IAM configuration in compliance with the FedRAMP Low Revision 4 requirements.