IAM Group With Inline Policies
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that all your IAM groups are using managed policies (AWS and customer managed policies) instead of inline policies (embedded policies) to better control and manage the access permissions to your AWS account.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Defining access permissions for your IAM groups using managed policies can offer multiple benefits such as reusability, versioning and rollback, automatic updates, larger policy size and fine-grained control over your policies assignment.
To determine if your IAM groups have any inline policies attached, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.
03 In the left navigation panel, choose Groups.
04 Click on the IAM group name that you want to examine.
05 On the IAM group configuration page, select Permissions tab.
06 Inside Inline Policies section, search for any existing inline policies. If one or more policies are listed, e.g.
the selected group is using inline (embedded) policies for its access permissions configuration and is not following AWS IAM best practices.
07 Repeat steps no. 4 – 6 for each IAM group that you want to examine within your AWS account.
01 Run list-groups command (OSX/Linux/UNIX) to list all IAM groups within your account:
aws iam list-groups --query 'Groups[*].GroupName'
02 The command output should return an array that contains the names of your IAM groups:
[
"aws-s3-managers",
"aws-ec2-managers",
...
"aws-rds-sql-admins"
]
03 Run list-group-policies command (OSX/Linux/UNIX) using the group name that you want to examine as command parameter to list all the inline policies that are currently attached to the selected IAM group:
aws iam list-group-policies --group-name aws-s3-managers
04 The command output should return an array that contains specific metadata (name and ARN) for each inline policy attached (if any):
{
"PolicyNames": [
"policygen-aws-s3-managers-201509201045",
"policygen-aws-s3-managers-201512100732"
]
}
05 Repeat steps no. 3 and 4 for each AWS IAM group that you want to examine.
To update the IAM group access configuration and replace any inline policies with managed policies, you need perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.
03 In the left navigation panel, choose Groups.
04 Select the IAM group that has inline policies attached (see Audit section) and click on the group name to access its configuration page.
05 On the IAM group configuration page, select the Permissions tab.
06 Inside Inline Policies section, click on each Show Policy link and copy each policy document displayed in a text file. Once all the available policies are copied, click the Remove Policy link for each inline policy to remove them from the group configuration.
07 In the left navigation panel, choose Policies and click Create Policy button from the IAM dashboard top menu.
08 On the Create Policy page, select Create Your Own Policy to create your own managed policies using the data taken from your inline policies. You can also select an AWS predefined policy or create a brand new one using the AWS Policy Generator.
09 On the Review Policy page, perform the following:
10 In the left navigation panel, choose Groups and click on the selected IAM group name to access its configuration page.
11 On the configuration page, select the Permissions tab and click Attach Policy button to attach the new managed policy created earlier.
12 Select Customer Managed Policies from the Filter dropdown menu and select your newly created policy.
13 Click Attach Policy to attach the selected policy to your IAM group.
14 Repeat steps no. 4 – 13 for each IAM group with inline policies attached, available in your AWS account.
01 Get the policies for the selected IAM group using their identifiers (see Audit section, step 3 and 4, on how to retrieve each policy name). To fetch the IAM group inline policies content run get-group-policy command (OSX/Linux/UNIX) using the policy name as parameter:
aws iam get-group- --group-name aws-s3-managers --policy-name policygen-aws-s3-managers-201509201045
02 The command output should return the inline policy document requested. Create a JSON file, name it to reflect the policy usage (e.g. s3-bucket-management-policy.json) and paste the data inside the PolicyDocument object into the JSON file then save it. The command output containing the inline policy should look like this:
{
"GroupName": "aws-s3-managers",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket"
],
"Resource": [
"arn:aws:s3:::web-application-media"
],
"Effect": "Allow",
"Sid": "Stmt1463741294000"
}
]
},
"PolicyName": "policygen-aws-s3-managers-201509201045"
}
03 Detach the existing policies for the selected IAM group using their names. To delete any inline policies run delete-group-policy command (OSX/Linux/UNIX) using the inline policy name as identifier. (!) IMPORTANT: inline policies are not just detached but deleted automatically so make sure you save these policies (see step no. 1 and 2) before running the following command (no output returned):
aws iam delete-group-policy --group-name aws-s3-managers --policy-name policygen-aws-s3-managers-201509201045
04 Run create-policy command (OSX/Linux/UNIX) using the JSON file that contains the policy data saved at step no. 2 (e.g. s3-bucket-management-policy.json) to create a new managed policy:
aws iam create-policy --policy-name s3-bucket-management-policy --policy-document file://s3-bucket-management-policy.json
05 The command output should return the managed policy metadata, including the policy ARN (highlighted):
{
"Policy": {
"PolicyName": "s3-bucket-management-policy",
"CreateDate": "2016-05-20T13:52:28.166Z",
"AttachmentCount": 0,
"IsAttachable": true,
"PolicyId": "ANPAIRG3DHMBSWUD4TZEE",
"DefaultVersionId": "v1",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:
policy/s3-bucket-management-policy",
"UpdateDate": "2016-05-20T13:52:28.166Z"
}
}
06 Finally, run attach-group-policy command (OSX/Linux/UNIX) using the policy document Amazon Resource Name (ARN) returned at the previous step to attach your newly created managed policy to the selected IAM group (no output returned):
aws iam attach-group-policy --policy-arn arn:aws:iam::123456789012:policy/s3-bucket-management-policy --group-name aws-s3-managers
07 Repeat steps no. 1 – 6 for each IAM group with inline policies attached within your AWS account.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial.
Let’s Chat