Use managed policies instead of inline IAM Policies

Inline policies are policies that are embedded directly into a single user, group, or role. It is recommend to use managed policies instead of inline policies. Managed policies provide reusability, central change management, versioning and more capabilities.

Risk Level: Low
Cloud Entity: IAM User
CloudGuard Rule ID: D9.AWS.IAM.44
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

IamUser should not have inlinePolicies

REMEDIATION

From Portal
Using the GUI, perform the following to detach the policy that has full administrative privileges:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, click Users.
  3. Select the User and click on Permissions.
  4. Remove any policies attached directly to the user (these are inline policies), and replace them with equivalent managed policies (in the Policies page) that are assigned to users, groups or roles.

From TF

resource "aws_iam_policy" "my-policy" {
	name = "test-policy"
	
	policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
		{
			"Effect": "Allow",
			+     "Action": ["some:action"],
			"Resource": "*"
		}
		]
	}
	EOF
}

From Command Line
To delete inline policy for any specific user, run :

aws iam delete-user-policy --user-name USERNAME --policy-name POLICY_NAME

References

  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-policies.html

IAM User

An IAM user is an entity that you create in AWS to represent the person or service that uses it to interact with AWS. A user in AWS consists of a name and credentials.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HIPAA
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Dashboards