Ensure that IamGroup does not have Inline policies

Ensure that all your IAM Groups are not using inline policies and instead using managed policies, for various reasons including reusability, central change management, versioning and rolling back and delegating permissions management.

Risk Level: Low
Cloud Entity: IAM Group
CloudGuard Rule ID: D9.AWS.CRY.41
Covered by Spectral: No
Category: Security, Identity, & Compliance


IamGroup should not have inlinePolicies


From Portal
Use following steps to delete inline policy.

  1. Sign in to the AWS Management Console and navigate to the IAM dashboard - https://console.aws.amazon.com/iam/.
  2. From the left navigation panel choose Groups.
  3. Click on a group name from the list of groups.
  4. Once in the IAM group summary page, click on the permissions tab.
  5. To delete an inline policy in User groups, choose Delete.
  6. If you are deleting a single inline policy in User groups, type the name of the policy and choose Delete. If you are deleting multiple inline policies in User groups, type the number of policies you are deleting followed by inline policies and choose Delete. For example, if you are deleting three inline policies, type 3 inline policies.

From Command Line
Use following command to delete any inline policy:

aws iam delete-group-policy --group-name user_group_name --policy-name policy_document_name


  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-delete.html
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group-policy.html

IAM Group

An IAM group is a collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset