IAM Groups, Users, and Roles No Inline Policies Rule
This rule states that IAM groups, users, and roles should not have any inline policies.
| Rule | IAM groups, users, and roles should not have any inline policies |
| Framework | SOC 2 |
| Severity | ✔ Low |
IAM Groups, Users, and Roles Should Not Have Any Inline Policies for SOC 2
Overview of the Rule
Inline policies in AWS IAM (Identity and Access Management) are directly embedded within the user, group, or role they apply to. While inline policies can be a way to ensure a strict one-to-one relationship between a policy and an entity, they make it difficult to manage and audit permissions. For SOC 2 compliance, which emphasizes the importance of security and access controls within an organization, it is recommended to use managed policies instead.
Managed policies are standalone policies that you can attach to multiple users, groups, and roles in your AWS account. They provide a cleaner, more scalable method of managing permissions.
Troubleshooting Steps
If a Security or Compliance Officer identifies inline policies attached to IAM entities within the AWS account, the following steps should be implemented:
Step 1: Identify Inline Policies
To identify IAM entities with inline policies, use the AWS Management Console or AWS CLI.
Using the AWS CLI, run the following commands to list entities with inline policies:
For users:
aws iam list-users --query 'Users[*].UserName' --output text | xargs -n1 aws iam list-user-policies --user-nameFor groups:
aws iam list-groups --query 'Groups[*].GroupName' --output text | xargs -n1 aws iam list-group-policies --group-nameFor roles:
aws iam list-roles --query 'Roles[*].RoleName' --output text | xargs -n1 aws iam list-role-policies --role-name
Step 2: Document Inline Policies
Before making changes, document the permissions specified in each inline policy. The
get-policyFor example:
aws iam get-user-policy --user-name <username> --policy-name <inline-policy-name>
Step 3: Convert Inline Policies to Managed Policies
For each inline policy, follow these steps to convert it into a managed policy:
- 1.
Create a new managed policy with the same permissions as the inline policy. Use the
CLI command:create-policyaws iam create-policy --policy-name <new-managed-policy-name> --policy-document file://<path-to-json-policy-file> - 2.
Attach the managed policy to the IAM entity (user, group, or role) using the
,attach-user-policy
, orattach-group-policy
command:attach-role-policyFor users:
aws iam attach-user-policy --user-name <username> --policy-arn <managed-policy-arn>For groups:
aws iam attach-group-policy --group-name <groupname> --policy-arn <managed-policy-arn>For roles:
aws iam attach-role-policy --role-name <rolename> --policy-arn <managed-policy-arn>
Step 4: Remove Inline Policies
Once the managed policy is in place, remove the inline policy using the
delete-user-policydelete-group-policydelete-role-policyFor users:
aws iam delete-user-policy --user-name <username> --policy-name <inline-policy-name>For groups:
aws iam delete-group-policy --group-name <groupname> --policy-name <inline-policy-name>For roles:
aws iam delete-role-policy --role-name <rolename> --policy-name <inline-policy-name>
Remediation Guide
To remediate the rule and bring your AWS environment into SOC 2 compliance, ensure that all IAM policies are managed policies. Migrate any inline policies following the above steps, and perform regular audits to ensure new inline policies are not being created. Train your team on the importance of using managed policies for better governance and compliance.
By thoroughly documenting permission changes, executing the necessary CLI commands to migrate to managed policies, and removing inline policies, you can create an IAM environment conducive to SOC 2 compliance. Regularly review IAM permissions to keep access controls aligned with the principle of least privilege, a core SOC 2 requirement.