Rule: IAM Groups, Users, and Roles Should Not Have Any Inline Policies
This rule states that IAM groups, users, and roles should not have any inline policies to ensure security and compliance.
| Rule | IAM groups, users, and roles should not have any inline policies |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ Low |
The rule/policy states that IAM (Identity and Access Management) groups, users, and roles should not have any inline policies for GxP 21 CFR Part 11. This rule is in place to ensure that access to sensitive data and systems relating to GxP (Good Practice) 21 CFR Part 11 compliance is properly controlled and managed.
Rule Description:
Inline policies are policies that are directly attached to individual IAM entities such as groups, users, or roles. These policies provide permissions and define what actions can be performed by the IAM entity. However, for GxP 21 CFR Part 11 compliance, it is recommended to use managed policies instead of inline policies. Managed policies provide centralized control and easier management of permissions for GxP related activities.
By following this rule, organizations can ensure that access to GxP compliance-related resources is properly governed and in accordance with specific regulatory requirements.
Troubleshooting Steps:
If an IAM entity has an inline policy for GxP 21 CFR Part 11, the following troubleshooting steps can be taken:
- 1.
Identify the IAM entity(s) with the inline policy: Determine which groups, users, or roles have the inline policy attached.
- 2.
Review the inline policy: Verify the contents of the inline policy to identify any permissions or actions related to GxP 21 CFR Part 11.
- 3.
Assess the necessity of the inline policy: Evaluate whether the inline policy is required for GxP compliance. If not, it should be removed or replaced with a managed policy.
- 4.
Replace the inline policy with a managed policy: Create a managed policy that includes the necessary permissions for GxP compliance and attach it to the respective IAM entity(s).
- 5.
Test and validate: Verify that the IAM entity(s) can still perform their intended tasks without any disruption after the replacement of the inline policy.
Necessary Codes:
If necessary, the following AWS CLI command can be used to create a managed policy:
$ aws iam create-policy --policy-name GxP21CFRPart11Policy --policy-document file://gxppolicy.json
In this command, "GxP21CFRPart11Policy" is the name of the managed policy, and "gxppolicy.json" is a JSON file containing the policy document with the required permissions for GxP compliance.
Step-by-Step Guide for Remediation:
To remediate the rule violation of having inline policies for GxP 21 CFR Part 11, follow these steps:
- 1.
Identify the IAM group(s), user(s), or role(s) that have inline policies for GxP 21 CFR Part 11.
- 2.
Review the contents of the inline policies to understand the specific permissions granted.
- 3.
Determine if the inline policies are necessary for GxP compliance. If not, proceed to step 5.
- 4.
Replace the inline policies with managed policies:
a. Create a new managed policy using the necessary permissions for GxP compliance.
b. Attach the newly created managed policy to the corresponding IAM group(s), user(s), or role(s).
c. Verify that the IAM entity(s) can perform their required tasks with the newly attached managed policy.
- 5.
If the inline policies are required for GxP compliance, consider removing any unnecessary or excessive permissions from the inline policies.
a. Modify the existing inline policies to remove unnecessary permissions.
b. Test and validate that the IAM entity(s) can still perform their intended tasks after the modification.
- 6.
Regularly review and audit the permissions assigned to IAM group(s), user(s), and role(s) to ensure ongoing compliance with GxP 21 CFR Part 11 requirements.
By following these steps, organizations can ensure compliance with the rule/policy of not having any inline policies for GxP 21 CFR Part 11, thus maintaining the security and integrity of their GxP-related systems and data.