IAM Groups, Users, and Roles Should Not Have Any Inline Policies Rule
This rule ensures that IAM groups, users, and roles do not have any inline policies configured.
| Rule | IAM groups, users, and roles should not have any inline policies |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Low |
Rule Description:
Inline policies should not be attached to IAM groups, users, or roles for FedRAMP Moderate Revision 4 compliance. Inline policies are directly attached to the IAM entities and can override any existing policies or create conflicts, potentially leading to unauthorized access or other security vulnerabilities. To ensure compliance with the FedRAMP Moderate Revision 4 standards, it is necessary to remove any inline policies from IAM groups, users, and roles.
Troubleshooting Steps:
If any inline policy is found attached to an IAM group, user, or role, the following troubleshooting steps can be followed:
- 1.
Identify IAM entities with inline policies: Review the IAM groups, users, and roles to identify if any inline policies are attached.
- 2.
Review the associated policies: Evaluate the inline policies to understand their permissions and potential conflicts with existing policies.
- 3.
Determine the necessity of the inline policies: If the inline policies are required for specific access requirements, evaluate whether they can be converted into managed policies instead.
- 4.
Update policies: If the inline policies are deemed unnecessary or can be replaced with managed policies, remove or replace them accordingly.
- 5.
Test permissions: Validate the access permissions for the affected IAM entities after removing or replacing the inline policies to ensure no unintended access restrictions.
Necessary Code:
In order to automate the identification and removal of inline policies, AWS CLI (Command Line Interface) commands can be used. Below are a few examples:
- 1.To list all the IAM users with inline policies:
aws iam list-users --query 'Users[?has_inline_policies==`true`].{Username:UserName}'
- 1.To detach an inline policy from a specific IAM user:
aws iam delete-user-policy --user-name <UserName> --policy-name <PolicyName>
Replace
<UserName><PolicyName>- 1.To list all the IAM groups with inline policies:
aws iam list-groups --query 'Groups[?has_inline_policies==`true`].{GroupName:GroupName}'
- 1.To detach an inline policy from a specific IAM group:
aws iam delete-group-policy --group-name <GroupName> --policy-name <PolicyName>
Replace
<GroupName><PolicyName>- 1.To list all the IAM roles with inline policies:
aws iam list-roles --query 'Roles[?has_inline_policies==`true`].{RoleName:RoleName}'
- 1.To detach an inline policy from a specific IAM role:
aws iam delete-role-policy --role-name <RoleName> --policy-name <PolicyName>
Replace
<RoleName><PolicyName>Note: Ensure that you have the necessary permissions to execute these commands and replace the placeholders with the appropriate values.
Step-by-Step Guide for Remediation:
- 1.
Identify the IAM groups, users, and roles that have inline policies attached using the provided AWS CLI commands.
- 2.
Review each inline policy to determine if it is required for the specific access requirements.
- 3.
If inline policies are unnecessary, proceed with detaching them from the respective IAM entities.
- 4.
Use the appropriate AWS CLI command to detach an inline policy from an IAM user, group, or role. Repeat this step for each identified entity.
- 5.
Validate the removal of inline policies by verifying that the IAM entities no longer have any inline policies attached.
- 6.
Test the access permissions for the affected IAM entities to ensure that there are no unintended restrictions.
- 7.
Document the changes made, including the removed inline policies and the IAM entities they were attached to, for future reference and audit purposes.
Note:
Regular monitoring and periodic checks should be performed to ensure that no new inline policies are added to IAM groups, users, or roles in violation of the FedRAMP Moderate Revision 4 policy.