Use the Conformity Knowledge Base AI to help improve your Cloud Posture

IAM Group With Inline Policies

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: IAM-022

Ensure that all your Amazon IAM groups are using managed policies (AWS-managed and customer-managed policies) instead of inline policies (embedded policies) to have better control over the access permissions within your AWS cloud account.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Defining access permissions for your Amazon IAM groups using managed policies can offer multiple benefits such as reusability, versioning and rollback, automatic updates, larger policy size, and fine-grained control over your policies assignments.


Audit

To determine if your Amazon IAM groups have any inline policies attached, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose User groups.

04 Click on the name of the Amazon IAM group that you want to examine.

05 Select the Permissions tab to access the inline policies associated with the selected IAM group.

06 In the Permissions policies section, search for any inline policies configured for the selected group. An IAM group inline policy has the Type set to Customer inline. If one or more inline policies are listed in the Permissions policies section, the selected Amazon IAM group is using inline (embedded) policies for access permissions.

07 Repeat steps no. 4 – 6 for each Amazon IAM group available in the selected AWS cloud account.

Using AWS CLI

01 Run list-groups command (OSX/Linux/UNIX) using custom query filters to list the names of all the IAM groups available within your AWS account:

aws iam list-groups
  --output table
  --query 'Groups[*].GroupName'

02 The command output should return a table with the requested IAM group identifiers:

----------------------------
|        ListGroups        |
+--------------------------+
|  cc-project5-user-group  |
|  cc-log-data-user-group  |
+--------------------------+

03 Run list-group-policies command (OSX/Linux/UNIX) using the name of the Amazon IAM group that you want to examine as the identifier parameter and custom query filters to describe the name of each inline policy configured for the selected IAM group:

aws iam list-group-policies
  --group-name cc-project5-user-group
  --query 'PolicyNames'

04 The command output should return the metadata available for each requested access key:

[
    "policygen-cc-project5-user-group-202004141440",
    "policygen-cc-project5-user-group-202007111357"
]

If the list-group-policies command output returns an array with one or more policy names, as shown in the example above, the selected Amazon IAM group is using inline (embedded) policies for access permissions.

05 Repeat steps no. 3 and 4 for each Amazon IAM group available within the selected AWS cloud account.

Remediation / Resolution

To reconfigure your IAM group permissions and replace any inline policies with managed policies, perform the following operations:

Using Terraform

01 Step 1: Attach the corresponding IAM managed policy to the specified IAM group. Terraform configuration file (.tf).

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_iam_group" "iam-group" {
	name = "cc-project5-user-group"
}

resource "aws_iam_policy" "project5-managed-policy" {
	name        = "cc-project5-managed-policy"
	description = "Manage S3 Data"
	policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Action": [
					"s3:CreateBucket",
					"s3:DeleteBucket"
				],
				"Resource": [
					"arn:aws:s3:::cc-project5-media"
				],
				"Effect": "Allow",
				"Sid": "Stmt1618401427000"
			}
		]
	}
	EOF
}

resource "aws_iam_policy_attachment" "group-attach" {
	name       = "iam-group-attachment"
	groups     = [aws_iam_group.iam-group.name]
	policy_arn = aws_iam_policy.project5-managed-policy.arn
}

02 Step 2: Remove the corresponding inline policy attached to the IAM group. Terraform commands:

terraform destroy -target aws_iam_policy.project5-inline-policy

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose User groups.

04 Click on the name of the Amazon IAM group that you want to reconfigure.

05 Select the Permissions tab to access the inline policies associated with the selected IAM group.

06 In the Permissions policies section, click on the name of each inline policy, select the JSON tab, and copy each inline policy document to a text file.

07 In the navigation panel, under Access management, choose Policies.

08 Click on the Create policy button from the console top menu to initiate the setup process.

09 On the Create policy page, select the JSON tab, and create your own managed policy using the information taken from the inline policies at step no. 6. You can also select a predefined AWS-managed policy or create a brand new one using the AWS Policy Generator.

10 Choose Next: Tags and use the Add tag button to configure tags for the new managed policy.

11 Select Next: Review and provide a unique name and a description for your new IAM policy in the Name and Description text fields.

12 Choose Create policy to create your new managed IAM policy.

13 In the navigation panel, under Access management, choose User groups.

14 Click on the name of the IAM group that you want to reconfigure.

15 Select the Permissions tab, choose Add permissions, select Attach Policies, and choose the managed IAM policy created at the previous steps. Select Add permissions to attach the policy to your Amazon IAM group.

16 To remove the embedded (inline) policies associated with your IAM group, perform the following actions. Repeat the following steps for each associated inline policy:

  1. Select the inline policy associated with the selected group from the Permissions policies section.
  2. Choose Remove to remove the selected policy from your IAM group.
  3. In the Remove <policy-name>? confirmation box, enter the name of the selected inline policy in the text input field, then choose Delete.

17 Repeat steps no. 4 – 16 for each IAM group configured with inline policies, available in your AWS cloud account.

Using AWS CLI

01 Get the inline policies created for the selected Amazon IAM group. To fetch the contents of the associated inline policies, run get-group-policy command (OSX/Linux/UNIX) using the policy name as the identifier parameter. Repeat this step for each inline policy configured for the selected IAM group. Save the associated inline policies to a JSON file named cc-inline-policies.json:

aws iam get-group-policy
  --group-name cc-project5-user-group
  --policy-name policygen-cc-project5-user-group-202004141440
  --query 'PolicyDocument'

02 The command output should return the inline policy document requested:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"s3:CreateBucket",
				"s3:DeleteBucket"
			],
			"Resource": [
				"arn:aws:s3:::cc-project5-media"
			],
			"Effect": "Allow",
			"Sid": "Stmt1618401427000"
		}
	]
}

03 Run create-policy command (OSX/Linux/UNIX) to create your own managed IAM policy using the information taken from the associated inline policies at the previous steps:

aws iam create-policy
  --policy-name cc-project5-managed-policy
  --policy-document file://cc-inline-policies.json

04 The command output should return the metadata for the newly created managed policy, including the policy ARN (highlighted):

{
	"Policy": {
		"PolicyName": "cc-project5-managed-policy",
		"CreateDate": "2021-04-20T13:52:28.166Z",
		"AttachmentCount": 0,
		"IsAttachable": true,
		"PolicyId": "ABCDABCDABCDABCDABCD",
		"DefaultVersionId": "v1",
		"Path": "/",
		"Arn": "arn:aws:iam::123456789012:policy/cc-project5-managed-policy",
		"UpdateDate": "2021-04-20T13:52:28.166Z"
	}
}

05 Run attach-group-policy command (OSX/Linux/UNIX) using the ARN of the new managed policy, returned at the previous step, as the identifier parameter, to attach your newly created IAM policy to the selected IAM group (the command does not produce an output):

aws iam attach-group-policy
  --group-name cc-project5-user-group
  --policy-arn arn:aws:iam::123456789012:policy/cc-project5-managed-policy

06 Remove the inline policies from the selected IAM group using their names as the identifier parameters. To delete an inline policy associated with an IAM group, run delete-group-policy command (OSX/Linux/UNIX). If successful, the delete-group-policy command request does not produce an output:

aws iam delete-group-policy
  --group-name cc-project5-user-group
  --policy-name policygen-cc-project5-user-group-202004141440

07 Repeat steps no. 1 – 6 for each IAM group configured with inline policies, available within your AWS cloud account.

References

Publication date May 21, 2016