Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

IAM Groups, Users, and Roles No Inline Policies Rule

Ensure IAM groups, users, and roles do not have any inline policies.

RuleIAM groups, users, and roles should not have any inline policies
FrameworkFederal Financial Institutions Examination Council (FFIEC)
Severity
Low

Rule Description

The rule prohibits IAM groups, users, and roles from having any inline policies specifically for the Federal Financial Institutions Examination Council (FFIEC). Inline policies provide permissions directly to individual entities within IAM, such as groups, users, or roles. This rule aims to ensure that the FFIEC-related permissions are only granted through managed policies, which can offer centralized control and consistent policy enforcement.

Reason for the Rule

By disallowing inline policies for FFIEC, the organization can maintain a more robust and manageable IAM configuration. Centralized policies improve security and compliance by ensuring that the permissions related to FFIEC are governed through controlled and auditable mechanisms.

Troubleshooting Steps

No specific troubleshooting steps are required for this rule as it is a preventive measure. However, if inline policies for FFIEC are found, remediation steps should be followed to rectify the non-compliant state.

Remediation

If any IAM groups, users, or roles are found with inline policies related to FFIEC, follow the steps below to remediate the issue:

  1. 1.

    Identify the IAM entity (group/user/role) with the inline policy for FFIEC.

  2. 2.

    Review the policy and determine the corresponding managed policy that aligns with the FFIEC requirements.

  3. 3.

    Create a new managed policy or modify an existing one to include the necessary FFIEC permissions.

  4. 4.

    Attach the newly created or modified managed policy to the IAM entity instead of the inline policy.

  5. 5.

    Test the updated configuration to ensure the proper application of the FFIEC-related permissions.

CLI Commands

The following AWS CLI commands can be used for remediation if inline policies for FFIEC are found:

  1. 1.
    List all IAM groups:
aws iam list-groups
  1. 1.
    List all IAM users:
aws iam list-users
  1. 1.
    List all IAM roles:
aws iam list-roles
  1. 1.
    List the policies attached to an IAM group, user, or role:
aws iam list-attached-group-policies --group-name <group_name>
aws iam list-attached-user-policies --user-name <user_name>
aws iam list-attached-role-policies --role-name <role_name>
  1. 1.
    Detach the inline policy from the IAM entity:
aws iam detach-group-policy --group-name <group_name> --policy-arn <policy_arn>
aws iam detach-user-policy --user-name <user_name> --policy-arn <policy_arn>
aws iam detach-role-policy --role-name <role_name> --policy-arn <policy_arn>
  1. 1.
    Create or modify a managed policy:
aws iam create-policy --policy-name <policy_name> --policy-document <policy_document>
aws iam create-policy-version --policy-arn <policy_arn> --policy-document <policy_document>
  1. 1.
    Attach the managed policy to the IAM entity:
aws iam attach-group-policy --group-name <group_name> --policy-arn <policy_arn>
aws iam attach-user-policy --user-name <user_name> --policy-arn <policy_arn>
aws iam attach-role-policy --role-name <role_name> --policy-arn <policy_arn>

Ensure that you replace

<group_name>
,
<user_name>
,
<role_name>
,
<policy_arn>
,
<policy_name>
, and
<policy_document>
with the actual names and values specific to your environment.

Compliance

Regularly review IAM entities for any inline policies related to FFIEC and ensure adherence to the rule. The use of managed policies for FFIEC permissions guarantees better control and simplifies the auditing process for regulatory compliance purposes.

Is your System Free of Underlying Vulnerabilities?
Find Out Now