Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

IAM Groups, Users, and Roles Should Not Have Any Inline Policies Rule

This rule states that IAM groups, users, and roles must not contain any inline policies to ensure security.

RuleIAM groups, users, and roles should not have any inline policies
FrameworkNIST 800-53 Revision 5
Severity
Low

Rule Description

According to the NIST 800-53 Revision 5 security framework, inline policies should not be attached to IAM groups, users, and roles. Inline policies are policies that are directly attached to individual IAM entities, rather than being managed and assigned through IAM policies. This rule aims to enforce centralized and controlled policy management for better security and compliance.

Troubleshooting Steps

If any inline policies are found on IAM groups, users, or roles, the following troubleshooting steps can be followed:

  2. 1.

    Identify IAM entities with inline policies: Utilize the IAM console, AWS CLI, or other IAM management tools to identify IAM groups, users, and roles that have inline policies attached to them.

  4. 2.

    Review the inline policies: Examine the content of the inline policies to understand their purpose and potential risks they may introduce.

  6. 3.

    Determine if inline policies are necessary: Assess whether the inline policies are required and cannot be achieved through IAM policies. Evaluate the potential impact of removing the inline policies on the associated IAM entities.

  8. 4.

    Migrate inline policies to IAM policies: If the inline policies are necessary, consider migrating them to IAM policies. IAM policies enable central management, version control, and greater granularity in access control. Copy the contents of the inline policy and create a corresponding IAM policy.

  10. 5.

    Attach IAM policies to entities: Once the inline policies are migrated to IAM policies, attach the IAM policies to the respective IAM entities (groups, users, or roles) using the AWS Management Console, AWS CLI, or SDKs.

  12. 6.

    Test functionality: Verify that the desired functionality and access privileges are preserved after the migration from inline policies to IAM policies.

Necessary Codes

In case inline policies need to be migrated to IAM policies, the following code snippet demonstrates an example of an IAM policy in JSON format:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::example-bucket",
        "arn:aws:s3:::example-bucket/*"
      ]
    }
  ]
}

Replace the "Action" and "Resource" values with the appropriate ones based on your requirements.

Step-by-Step Remediation Guide

To remediate the presence of inline policies on IAM groups, users, and roles, follow these step-by-step instructions:

  2. 1.
    Navigate to the AWS IAM Management Console.
  4. 2.
    Identify the IAM group, user, or role that has an inline policy attached to it.
  6. 3.
    Select the respective IAM entity from the list.
  8. 4.
    Click on the "Permissions" tab.
  10. 5.
    Locate the inline policy associated with the entity.
  12. 6.
    Copy the content of the inline policy for reference.
  14. 7.
    Click on the "Detach Policy" button to remove the inline policy.
  16. 8.
    Once the inline policy is detached, click on the "Policies" tab.
  18. 9.
    Click on the "Create Policy" button to create a new IAM policy.
  20. 10.
    Enter a name and description for the policy.
  22. 11.
    Choose the necessary permissions by either selecting predefined policies or writing a custom policy.
  24. 12.
    Paste the previously copied inline policy content to the JSON editor if applicable.
  26. 13.
    Review the policy and ensure it meets your desired access control requirements.
  28. 14.
    Click on the "Create Policy" button to save the IAM policy.
  30. 15.
    Return to the "Permissions" tab of the IAM entity.
  32. 16.
    Click on the "Attach Policy" button.
  34. 17.
    Locate the new IAM policy from the list and select it.
  36. 18.
    Click on the "Attach Policy" button to link the IAM policy to the entity.
  38. 19.
    Verify that the desired functionality and access privileges are maintained for the IAM entity.
  40. 20.
    Repeat the above steps for any remaining IAM groups, users, or roles that have inline policies.

By following these steps, you can remediate the NIST 800-53 Revision 5 rule violation and ensure that IAM groups, users, and roles do not have any inline policies, thus maintaining better security and compliance.

Is your System Free of Underlying Vulnerabilities?
Find Out Now