IAM User Should Not Have Any Inline or Attached Policies Rule
This rule specifies that IAM users should not be assigned any inline or attached policies.
| Rule | IAM user should not have any inline or attached policies |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Low |
Rule Description:
This rule is enforced to ensure that IAM (Identity and Access Management) users do not have any inline or attached policies that are not compliant with the requirements outlined in NIST 800-171 Revision 2. NIST 800-171 is a set of security standards developed by the National Institute of Standards and Technology (NIST) to protect sensitive government information.
Remediation Steps:
To remediate this rule and ensure compliance, the following steps should be undertaken:
- 1.
Identify IAM Users with Inline or Attached Policies:
- Explore the IAM console or use AWS CLI commands to identify IAM users who have inline or attached policies.
- This can be done by listing all IAM users and checking their policies.
- 2.
Review Policies of Identified Users:
- Analyze the policies attached or associated with the identified IAM users.
- Ensure that none of the policies violate the requirements specified in NIST 800-171 Revision 2.
- 3.
Remove Non-compliant Policies:
- If any non-compliant inline or attached policies are found, they should be removed from the IAM user accounts.
- There are two options for removing policies: a. Detach Policies: For policies that are attached, use the "DetachUserPolicy" or "DetachGroupPolicy" AWS CLI commands, depending on the entity to which the policy is attached. b. Delete Inline Policies: For policies that are inline, use the "DeleteUserPolicy" or "DeleteGroupPolicy" AWS CLI commands accordingly.
- 4.
Verify Compliance:
- After removing the non-compliant policies, perform a validation to ensure that IAM users no longer have any inline or attached policies that violate NIST 800-171 Revision 2.
Troubleshooting Steps:
In case you encounter any issues during the remediation process, the following troubleshooting steps may help you resolve common problems:
- 1.
Insufficient IAM User Permissions:
- Ensure that the user executing the commands has sufficient permissions to modify IAM user policies. The user should have the 'IAMFullAccess' policy or equivalent permissions.
- 2.
Invalid Policy Names:
- Double-check the policy names provided in the commands for detachment or deletion. Typos or incorrect policy names can cause commands to fail.
- 3.
Dependency Issues:
- If a policy is associated with other resources like roles, groups, or other users, you may encounter dependency errors when attempting to detach or delete the policy. Make sure to first remove the association from all dependent resources.
- 4.
Incorrect CLI Command Syntax:
- Validate that the AWS CLI commands are written correctly, including proper spacing, capitalization, and correct use of flags and arguments. Refer to the AWS CLI documentation for the precise syntax.
CLI Commands:
Here are the CLI commands that can be used for removing non-compliant policies:
To detach an attached user policy:
aws iam detach-user-policy --user-name <IAM user name> --policy-arn <policy ARN>To detach an attached group policy:
aws iam detach-group-policy --group-name <IAM group name> --policy-arn <policy ARN>To delete an inline user policy:
aws iam delete-user-policy --user-name <IAM user name> --policy-name <policy name>To delete an inline group policy:
aws iam delete-group-policy --group-name <IAM group name> --policy-name <policy name>
Please note that you need to replace
<IAM user/group name><policy ARN/name>By following these steps and performing the necessary actions, you can ensure that IAM users do not have any inline or attached policies that violate NIST 800-171 Revision 2, thereby enhancing the security posture of your AWS resources.