Ensure there are no inline policies attached to the ECS service

Ensure there are no inline policies attached to the service. Inline policies are policies that are embedded directly into a single user, group, or role. It is recommend to use managed policies instead of inline policies. Managed policies provide reusability, central change management, versioning and more capabilities.

Risk Level: Low
Cloud Entity: Amazon Elastic Container Service
CloudGuard Rule ID: D9.AWS.IAM.47
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

EcsService should not have role.inlinePolicies

REMEDIATION

From Portal
For Each ECS Service with inline policies perform the following steps:

  1. In the IAM console, select Users from the navigation pane
  2. Select Permissions
  3. Remove any policies attached directly to the user (these are inline policies), and replace them with equivalent managed policies (in the Policies page) that are assigned to users, groups or roles.

From Command Line

  1. Fetch the IAM group inline policies, run following get-group-policy command:
aws iam get-group- --group-name PUT_GROUP_NAME --policy-name PUT_POLICY_NAME
  1. Above command will give inline policy document requested. Create a JSON file and paste the data to the Policy Document object into the JSON file then save it.

  2. Detach the existing policies for the selected IAM group. Use following command to delete any inline policies
    Note: inline policies deleted automatically when we detach it, so make sure to save these policies before detaching.

aws iam delete-group-policy --group-name PUT_GROUP_NAME --policy-name PUT_POLICY_NAME

References

  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html

Amazon Elastic Container Service

Amazon Elastic Container Service (Amazon ECS) is a highly scalable, high-performance container orchestration service that supports Docker containers and allows you to easily run and scale containerized applications on AWS. Amazon ECS eliminates the need for you to install and operate your own container orchestration software, manage and scale a cluster of virtual machines, or schedule containers on those virtual machines.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset