Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Unapproved IAM Policy in Use

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: IAM-068

To protect your AWS cloud resources against unauthorized access and meet strict compliance requirements within your organization, ensure that unapproved Amazon IAM managed policies are not attached to IAM roles, users, or groups. Before this rule runs, the list with the unapproved IAM policies must be defined in the rule settings, on the TrendAI Vision One™ Cloud Risk Management Dashboard.

This rule can help you work with the AWS Well-Architected Framework.

Security

Setting boundaries for the use of identity-based policies within your organization can help you address internal security compliance, protect sensitive and confidential data, and even prevent unexpected charges on your AWS bill. You can explicitly specify the IAM managed policies that are not allowed to be attached to IAM roles, users, or groups within your AWS cloud account. To adhere to Amazon Identity and Access Management (IAM) security best practices, you can either detach the unapproved IAM policies or approve them after a complete compliance review.

Audit

To determine if there are any unapproved Amazon IAM managed policies used within your AWS account, perform the following operations:

Using AWS Console

  1. Sign into your TrendAI Vision One™ account to access Cloud Risk Management, access Unapproved IAM Policy in Use rule settings and copy the name of the unapproved IAM managed policy that you want to examine.

  2. Sign in to AWS Management Console.

  3. Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

  4. In the left navigation panel, select Policies to access the list of the IAM managed policies available in your AWS account.

  5. Paste the name of the unapproved policy, copied at step no. 1, in the Search box and press Enter.

  6. Click on the name (link) of the IAM managed policy returned as search result.

  7. Select the Policy usage tab and check the Permissions section for the list of IAM identities (roles, users, and groups) associated with the selected policy. If the selected Amazon IAM managed policy is attached to one or more IAM identities, the unapproved policy is used within your AWS cloud account, therefore you must take action and decommission (detach) the selected IAM policy.

  8. Repeat steps no. 1 – 7 to determine the usage status for other unapproved Amazon IAM managed policies.

Using AWS CLI

  1. Sign into your TrendAI Vision One™ account to access Cloud Risk Management, access Unapproved IAM Policy in Use rule settings and copy the Amazon Resource Name (ARN) of the unapproved IAM managed policy that you want to examine.

  2. Run get-policy command (OSX/Linux/UNIX) using the ARN of the unapproved IAM policy that you want to examine as identifier parameter and custom query filters to describe the number of IAM entities (users, groups, and roles) that the selected policy is attached to:

    aws iam get-policy
	--policy-arn arn:aws:iam::aws:policy/AmazonRDSFullAccess
	--query 'Policy.{"AttachmentCount": AttachmentCount}'

  3. The command output should return the attachment count for the specified identity-based policy:

    {
    "AttachmentCount": 3
}

    If the "AttachmentCount" configuration attribute value is different than 0 (zero), as shown in the example above, the selected Amazon IAM managed policy is attached to one or more IAM identities, therefore the unapproved IAM policy is used within your AWS cloud account.

  4. Repeat steps no. 1 – 3 to determine the usage status for other unapproved Amazon IAM managed policies.

Remediation / Resolution

To ensure that all unapproved Amazon IAM managed policies are decommissioned within your AWS cloud account, perform the following operations:

Using AWS Console

  1. Sign in to AWS Management Console.

  2. Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

  3. In the left navigation panel, select Policies to access the list of the IAM managed policies available in your AWS account.

  4. Paste the name of the unapproved policy that you want to decommission in the Search box and press Enter.

  5. Click on the name (link) of the unapproved IAM policy returned as search result.

  6. Choose the Policy usage tab and perform the following actions:

    1. Select all IAM identities (roles, users, and groups) associated with the IAM managed policy and choose Detach.
    2. Inside the Detach Policy confirmation box, choose Detach.

  7. Repeat steps no. 4 – 6 to deactivate (detach) other unapproved Amazon IAM managed policies used within your AWS account.

Using AWS CLI

  1. Run list-entities-for-policy command (OSX/Linux/UNIX) using the ARN of the unapproved IAM policy that you want to decommission as identifier parameter and custom query filters to list the names of the IAM identities (roles, users, and groups) that the specified managed policy is attached to:

    aws iam list-entities-for-policy
	--policy-arn arn:aws:iam::aws:policy/AmazonRDSFullAccess
	--query '{"PolicyGroups": PolicyGroups[*].GroupName, "PolicyUsers": PolicyUsers[*].UserName, "PolicyRoles": PolicyRoles[*].RoleName}'

  2. The command output should return the names of the IAM identities associated with the selected policy:

    {
    "PolicyGroups": [
        "cc-project5-iam-group"
    ],
    "PolicyUsers": [
        "cc-project5-db-user"
    ],
    "PolicyRoles": [
        "cc-rds-developer-role"
    ]
}

  3. Depending on the type of the IAM identity (role, user, or group) associated with your unapproved managed policy, execute one of the following commands:

    1. If the policy is attached to an IAM group, run detach-group-policy command (OSX/Linux/UNIX) to detach the selected managed policy from the specified IAM group. The following command example removes a managed, unapproved policy, identified by the ARN "arn:aws:iam::aws:policy/AmazonRDSFullAccess", from an IAM group named "cc-project5-iam-group" (the command does not produce an output): 
      	aws iam detach-group-policy
		--group-name cc-project5-iam-group
		--policy-arn arn:aws:iam::aws:policy/AmazonRDSFullAccess
    2. If the policy is attached to an IAM user, run detach-user-policy command (OSX/Linux/UNIX) to detach the selected managed policy from the specified IAM user (the command does not return an output): 
      	aws iam detach-user-policy
		--user-name cc-project5-db-user
		--policy-arn arn:aws:iam::aws:policy/AmazonRDSFullAccess
    3. If the policy is attached to an IAM role, run detach-role-policy command (OSX/Linux/UNIX) to detach the selected managed policy from the specified IAM role (the command does not produce an output): 
      	aws aws iam detach-role-policy
		--role-name cc-rds-developer-role
		--policy-arn arn:aws:iam::aws:policy/AmazonRDSFullAccess

  4. Repeat steps no. 1 – 3 to deactivate (detach) other unapproved Amazon IAM managed policies used within your AWS cloud account.

References

Publication date Dec 30, 2020

Related IAM rules