Logo of Trend Micro

IAM Group With Inline Policies

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (generally tolerable level of risk)
Rule ID: IAM-022

Ensure that all your IAM groups are using managed policies (AWS and customer managed policies) instead of inline policies (embedded policies) to better control and manage the access permissions to your AWS account.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Defining access permissions for your IAM groups using managed policies can offer multiple benefits such as reusability, versioning and rollback, automatic updates, larger policy size and fine-grained control over your policies assignment.

Audit

To determine if your IAM groups have any inline policies attached, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Groups.

04 Click on the IAM group name that you want to examine.

05 On the IAM group configuration page, select Permissions tab.

06 Inside Inline Policies section, search for any existing inline policies. If one or more policies are listed, e.g.

Inside Inline Policies section, search for any existing inline policies. If one or more policies are listed

the selected group is using inline (embedded) policies for its access permissions configuration and is not following AWS IAM best practices.

07 Repeat steps no. 4 – 6 for each IAM group that you want to examine within your AWS account.

Using AWS CLI

01 Run list-groups command (OSX/Linux/UNIX) to list all IAM groups within your account: 

aws iam list-groups
	--query 'Groups[*].GroupName'

02 The command output should return an array that contains the names of your IAM groups: 

[
    "aws-s3-managers",
    "aws-ec2-managers",
    ...
    "aws-rds-sql-admins"
]

03 Run list-group-policies command (OSX/Linux/UNIX) using the group name that you want to examine as command parameter to list all the inline policies that are currently attached to the selected IAM group: 

aws iam list-group-policies
	--group-name aws-s3-managers

04 The command output should return an array that contains specific metadata (name and ARN) for each inline policy attached (if any): 

{
    "PolicyNames": [
        "policygen-aws-s3-managers-201509201045",
        "policygen-aws-s3-managers-201512100732"
    ]
}

If the PolicyNames array returned for you is empty, i.e. [ ], the IAM group does not have any inline policies attached. If the PolicyNames array is not empty (as shown in the output example above), the selected group has policies attached, hence its access permissions configuration is not following AWS IAM best practices.

05 Repeat steps no. 3 and 4 for each AWS IAM group that you want to examine.

Remediation / Resolution

To update the IAM group access configuration and replace any inline policies with managed policies, you need perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Groups.

04 Select the IAM group that has inline policies attached (see Audit section) and click on the group name to access its configuration page.

05 On the IAM group configuration page, select the Permissions tab.

06 Inside Inline Policies section, click on each Show Policy link and copy each policy document displayed in a text file. Once all the available policies are copied, click the Remove Policy link for each inline policy to remove them from the group configuration.

07 In the left navigation panel, choose Policies and click Create Policy button from the IAM dashboard top menu.

08 On the Create Policy page, select Create Your Own Policy to create your own managed policies using the data taken from your inline policies. You can also select an AWS predefined policy or create a brand new one using the AWS Policy Generator.

09 On the Review Policy page, perform the following:

  1. In the Policy Name box, enter a name for your new managed policy. Choose a unique name that will reflect the policy usage.
  2. In the Description textbox, enter a short description for the policy (optional).
  3. In the Policy Document textbox, paste the inline policy content copied at step no. 6.
  4. Click Validate Policy button to validate the policy then click Create Policy to save it.

10 In the left navigation panel, choose Groups and click on the selected IAM group name to access its configuration page.

11 On the configuration page, select the Permissions tab and click Attach Policy button to attach the new managed policy created earlier.

12 Select Customer Managed Policies from the Filter dropdown menu and select your newly created policy.

13 Click Attach Policy to attach the selected policy to your IAM group.

14 Repeat steps no. 4 – 13 for each IAM group with inline policies attached, available in your AWS account.

Using AWS CLI

01 Get the policies for the selected IAM group using their identifiers (see Audit section, step 3 and 4, on how to retrieve each policy name). To fetch the IAM group inline policies content run get-group-policy command (OSX/Linux/UNIX) using the policy name as parameter: 

aws iam get-group-
	--group-name aws-s3-managers
	--policy-name policygen-aws-s3-managers-201509201045

02 The command output should return the inline policy document requested. Create a JSON file, name it to reflect the policy usage (e.g. s3-bucket-management-policy.json) and paste the data inside the PolicyDocument object into the JSON file then save it. The command output containing the inline policy should look like this: 

{
    "GroupName": "aws-s3-managers",
    "PolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "s3:CreateBucket",
                    "s3:DeleteBucket"
                ],
                "Resource": [
                    "arn:aws:s3:::web-application-media"
                ],
                "Effect": "Allow",
                "Sid": "Stmt1463741294000"
            }
        ]
    },
    "PolicyName": "policygen-aws-s3-managers-201509201045"
}

03 Detach the existing policies for the selected IAM group using their names. To delete any inline policies run delete-group-policy command (OSX/Linux/UNIX) using the inline policy name as identifier. (!) IMPORTANT: inline policies are not just detached but deleted automatically so make sure you save these policies (see step no. 1 and 2) before running the following command (no output returned): 

aws iam delete-group-policy
	--group-name aws-s3-managers
	--policy-name policygen-aws-s3-managers-201509201045

04 Run create-policy command (OSX/Linux/UNIX) using the JSON file that contains the policy data saved at step no. 2 (e.g. s3-bucket-management-policy.json) to create a new managed policy: 

aws iam create-policy
	--policy-name s3-bucket-management-policy
	--policy-document file://s3-bucket-management-policy.json

05 The command output should return the managed policy metadata, including the policy ARN (highlighted): 

{
    "Policy": {
        "PolicyName": "s3-bucket-management-policy",
        "CreateDate": "2016-05-20T13:52:28.166Z",
        "AttachmentCount": 0,
        "IsAttachable": true,
        "PolicyId": "ANPAIRG3DHMBSWUD4TZEE",
        "DefaultVersionId": "v1",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:
                policy/s3-bucket-management-policy",
        "UpdateDate": "2016-05-20T13:52:28.166Z"
    }
}

06 Finally, run attach-group-policy command (OSX/Linux/UNIX) using the policy document Amazon Resource Name (ARN) returned at the previous step to attach your newly created managed policy to the selected IAM group (no output returned): 

aws iam attach-group-policy
	--policy-arn arn:aws:iam::123456789012:policy/s3-bucket-management-policy
	--group-name aws-s3-managers

07 Repeat steps no. 1 – 6 for each IAM group with inline policies attached within your AWS account.

References

Publication date May 21, 2016

Related IAM rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

IAM Group With Inline Policies

Risk level: Medium