Rule: IAM Groups, Users, and Roles No Inline Policies
This rule ensures IAM groups, users, and roles do not have inline policies.
| Rule | IAM groups, users, and roles should not have any inline policies |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Low |
Rule Description
The rule states that IAM groups, users, and roles should not have any inline policies for CISA-cyber-essentials. Inline policies are policies that are directly attached to IAM entities (groups, users, or roles) rather than being managed separately. By avoiding inline policies for CISA-cyber-essentials, organizations ensure a more centralized and controlled approach to managing policies in AWS Identity and Access Management (IAM).
Having inline policies can pose security risks and make policy management less efficient. It is best practice to use managed policies or policy attachments that are separate from the IAM entities, providing better visibility, control, and governance over the policies.
Troubleshooting Steps
If inline policies exist for IAM groups, users, or roles for CISA-cyber-essentials, the following troubleshooting steps can be performed:
- 1.
Identify the entities with inline policies: Use the AWS Management Console, command-line interface (CLI), or API to identify the IAM groups, users, or roles that have inline policies attached specifically related to CISA-cyber-essentials.
- 2.
Review the inline policies: Analyze the contents of the identified inline policies to understand their purpose and potential conflicts with the desired policy management approach. Ensure that any critical or necessary permissions are included in the managed policies rather than being directly attached.
- 3.
Take a backup of the inline policies: It is recommended to take a backup of the inline policies before removing them, just in case any unintended consequences occur during the process.
Remediation Steps
To adhere to the rule and remove the inline policies for CISA-cyber-essentials from IAM groups, users, or roles, follow the steps below:
- 1.
Identify the IAM entities: Determine the specific IAM groups, users, or roles that have inline policies relating to CISA-cyber-essentials.
- 2.
Create new managed policies: Set up managed policies that encompass the necessary permissions for CISA-cyber-essentials separately. This can be done via the AWS Management Console, CLI, or API.
- 3.
Attach the new managed policies: Attach the newly created managed policies to the appropriate IAM groups, users, or roles. This can also be done through the AWS Management Console, CLI, or API.
- 4.
Verify policy attachments: Ensure that the policies have been attached successfully and that the desired permissions are included in the managed policies.
- 5.
Remove inline policies: Once the managed policies have been attached, it is safe to remove the inline policies that were identified in the troubleshooting steps. This can be done via the AWS Management Console, CLI, or API.
- 6.
Monitor and validate: Regularly monitor the IAM entities and policies to validate that the inline policies have been successfully removed and that the desired policy management approach is in place.
By following these remediation steps, organizations can ensure proper policy management and adhere to the rule of not having inline policies for CISA-cyber-essentials.