Ensure Inline Policies for IAM Users, Roles, and Groups Rule
This rule ensures that inline policies do not allow blocked actions on KMS keys.
| Rule | Ensure inline policies attached to IAM users, roles, and groups should not allow blocked actions on KMS keys |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ Medium |
Rule Description
This rule ensures that the inline policies attached to IAM users, roles, and groups do not allow blocked actions on KMS (Key Management Service) keys in compliance with GxP (Good Practice) and 21 CFR (Code of Federal Regulations) Part 11 regulations for data integrity and security.
Policy Verification Steps
- 1.Identify the IAM users, roles, and groups that have inline policies attached.
- 2.Check each inline policy attached to IAM users, roles, and groups for any blocked actions on KMS keys.
- 3.Ensure that no actions are explicitly denied or blocked for KMS keys in the inline policies.
- 4.Validate that all the permissions defined in the inline policies are necessary and aligned with the organization's security and compliance requirements.
Troubleshooting Steps
In case any inline policies are found that allow blocked actions on KMS keys, follow these troubleshooting steps:
- 1.Review the inline policy attached to the IAM user, role, or group.
- 2.Identify the specific blocked actions that need to be removed or modified.
- 3.Determine if the blocked actions listed in the policy are necessary for any legitimate business requirements and consider modifying the policy accordingly.
- 4.Consult with the relevant stakeholders to understand the appropriate actions needed for specific KMS keys.
- 5.Create a modified or new inline policy that removes the blocked actions or provides the necessary access while complying with GxP and 21 CFR Part 11 regulations.
Neccessary Codes
In case you need to update or modify an inline policy, here is an example of how to deny the "kms:Encrypt" action for a specific KMS key:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "kms:Encrypt", "Resource": "arn:aws:kms:region:account-id:key/key-id" } ] }
Replace "region" with the appropriate AWS region, "account-id" with your AWS account ID, and "key-id" with the ID of the KMS key you want to deny the "kms:Encrypt" action for.
Remediation Steps
To remediate the policy and align it with the rule, follow these step-by-step guide:
- 1.
Identify the IAM user, role, or group whose policy needs to be remediated.
- 2.
Determine whether modifying the existing inline policy or creating a new one is more appropriate for your use case.
- 3.
Understand the specific actions that should be allowed or denied for the KMS keys involved.
- 4.
Access the AWS Management Console or use the AWS Command Line Interface (CLI) for further actions.
- 5.
If modifying an existing policy:
- Open the IAM service in the AWS Management Console.
- Navigate to the "Users," "Roles," or "Groups" page depending on your case and select the appropriate user, role, or group.
- Choose the "Permissions" tab.
- Click on the inline policy that needs to be modified.
- Update the policy by removing any blocked actions related to KMS keys or modifying permissions as per requirements.
- Save the changes to the policy.
- 6.
If creating a new policy:
- Open the IAM service in the AWS Management Console.
- Navigate to the "Users," "Roles," or "Groups" page depending on your case and select the appropriate user, role, or group.
- Choose the "Permissions" tab.
- Click on the "Add inline policy" button.
- Enter a policy name and description.
- Use the necessary code provided earlier to define the policy with appropriate permissions for KMS keys.
- Save the new inline policy.
By following these remediation steps, you can ensure that the inline policies attached to IAM users, roles, and groups do not allow blocked actions on KMS keys, thereby complying with GxP 21 CFR Part 11 regulations.