Ensure IAM groups, users, and roles do not have any inline policies.
Rule | IAM groups, users, and roles should not have any inline policies |
Framework | Federal Financial Institutions Examination Council (FFIEC) |
Severity | ✔ Low |
Rule Description
The rule prohibits IAM groups, users, and roles from having any inline policies specifically for the Federal Financial Institutions Examination Council (FFIEC). Inline policies provide permissions directly to individual entities within IAM, such as groups, users, or roles. This rule aims to ensure that the FFIEC-related permissions are only granted through managed policies, which can offer centralized control and consistent policy enforcement.
Reason for the Rule
By disallowing inline policies for FFIEC, the organization can maintain a more robust and manageable IAM configuration. Centralized policies improve security and compliance by ensuring that the permissions related to FFIEC are governed through controlled and auditable mechanisms.
Troubleshooting Steps
No specific troubleshooting steps are required for this rule as it is a preventive measure. However, if inline policies for FFIEC are found, remediation steps should be followed to rectify the non-compliant state.
Remediation
If any IAM groups, users, or roles are found with inline policies related to FFIEC, follow the steps below to remediate the issue:
Identify the IAM entity (group/user/role) with the inline policy for FFIEC.
Review the policy and determine the corresponding managed policy that aligns with the FFIEC requirements.
Create a new managed policy or modify an existing one to include the necessary FFIEC permissions.
Attach the newly created or modified managed policy to the IAM entity instead of the inline policy.
Test the updated configuration to ensure the proper application of the FFIEC-related permissions.
CLI Commands
The following AWS CLI commands can be used for remediation if inline policies for FFIEC are found:
aws iam list-groups
aws iam list-users
aws iam list-roles
aws iam list-attached-group-policies --group-name <group_name> aws iam list-attached-user-policies --user-name <user_name> aws iam list-attached-role-policies --role-name <role_name>
aws iam detach-group-policy --group-name <group_name> --policy-arn <policy_arn> aws iam detach-user-policy --user-name <user_name> --policy-arn <policy_arn> aws iam detach-role-policy --role-name <role_name> --policy-arn <policy_arn>
aws iam create-policy --policy-name <policy_name> --policy-document <policy_document> aws iam create-policy-version --policy-arn <policy_arn> --policy-document <policy_document>
aws iam attach-group-policy --group-name <group_name> --policy-arn <policy_arn> aws iam attach-user-policy --user-name <user_name> --policy-arn <policy_arn> aws iam attach-role-policy --role-name <role_name> --policy-arn <policy_arn>
Ensure that you replace
<group_name>
, <user_name>
, <role_name>
, <policy_arn>
, <policy_name>
, and <policy_document>
with the actual names and values specific to your environment.Compliance
Regularly review IAM entities for any inline policies related to FFIEC and ensure adherence to the rule. The use of managed policies for FFIEC permissions guarantees better control and simplifies the auditing process for regulatory compliance purposes.