To protect your AWS cloud resources against unauthorized access and meet strict compliance requirements within your organization, ensure that unapproved Amazon IAM managed policies are not attached to IAM roles, users, or groups. Prior to running this rule by the Conformity engine, the list with the unapproved IAM policies must be defined in the conformity rule settings, on the Trend Cloud One™ – Conformity account console.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Setting boundaries for the use of identity-based policies within your organization can help you address internal security compliance, protect sensitive and confidential data, and even prevent unexpected charges on your AWS bill. You can explicitly specify the IAM managed policies that are not allowed to be attached to IAM roles, users, or groups within your AWS cloud account. To adhere to Amazon Identity and Access Management (IAM) security best practices, you can either detach the unapproved IAM policies or approve them after a complete compliance review.
Audit
To determine if there are any unapproved Amazon IAM managed policies used within your AWS account, perform the following operations:
Remediation / Resolution
To ensure that all unapproved Amazon IAM managed policies are decommissioned within your AWS cloud account, perform the following operations:
References
- AWS Documentation
- Security best practices in IAM
- IAM Identities (users, groups, and roles)
- Managing IAM groups
- Managing IAM users
- Managing IAM roles
- AWS Command Line Interface (CLI) Documentation
- iam
- list-entities-for-policy
- detach-group-policy
- detach-user-policy
- detach-role-policy