Users Should Not Have Inline Policies

More Info:

IAM users should not have Inline policies. It is recommended that IAM policies be applied directly to groups and roles but not users.

Risk Level

Low

Address

Security

Compliance Standards

HIPAA, GDPR, CISAWS, CBP, NIST, SOC2, PCIDSS, HITRUST, NISTCSF

Triage and Remediation

Prevention
Cause
Remediation

How to Prevent

Using Console

To prevent users from having inline policies in AWS IAM using the AWS Management Console, follow these steps:

Navigate to IAM Dashboard:
- Sign in to the AWS Management Console.
- In the navigation bar, select “Services” and then choose “IAM” to open the IAM dashboard.
Review User Policies:
- In the IAM dashboard, select “Users” from the navigation pane.
- Click on each user to review their permissions.
- Under the “Permissions” tab, check for any inline policies attached directly to the user.
Remove Inline Policies:
- For each user with an inline policy, click on the “Inline Policies” section.
- Select the inline policy and choose “Delete Policy” to remove it.
Use Managed Policies:
- Instead of using inline policies, attach AWS managed policies or create and attach customer-managed policies.
- Go to the “Permissions” tab for each user, click “Add permissions,” and then choose “Attach policies directly.”
- Select the appropriate managed policies and click “Next: Review” and then “Add permissions.”

By following these steps, you can ensure that users do not have inline policies, promoting better policy management and security practices.

Using CLI

To prevent users from having inline policies in IAM using AWS CLI, you can follow these steps:

Create a Managed Policy:
- Instead of using inline policies, create a managed policy that can be attached to multiple users, groups, or roles.
- Use the following command to create a managed policy:
  aws iam create-policy --policy-name MyManagedPolicy --policy-document file://policy.json
Attach Managed Policy to Users:
- Attach the newly created managed policy to the users who need it.
- Use the following command to attach the policy to a user:
  aws iam attach-user-policy --user-name UserName --policy-arn arn:aws:iam::aws:policy/MyManagedPolicy
List Inline Policies for Users:
- Regularly check for any inline policies attached to users to ensure compliance.
- Use the following command to list inline policies for a specific user:
  aws iam list-user-policies --user-name UserName

Set Up IAM Policy to Restrict Inline Policies:

Create an IAM policy that denies the creation of inline policies for users.

Use the following command to create a policy that restricts inline policies:

aws iam create-policy --policy-name RestrictInlinePolicies --policy-document '{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "iam:PutUserPolicy",
        "iam:DeleteUserPolicy"
      ],
      "Resource": "arn:aws:iam::*:user/*"
    }
  ]
}'

By following these steps, you can prevent users from having inline policies in IAM using AWS CLI.

Using Python

To prevent users from having inline policies in IAM using Python scripts, you can follow these steps:

1. AWS (Boto3 Library)

Step 1: Install Boto3 Ensure you have the Boto3 library installed. You can install it using pip if you haven’t already:

pip install boto3

Step 2: List Users and Check for Inline Policies Use the following script to list all IAM users and check if they have any inline policies. If they do, you can log or take appropriate action.

import boto3

# Initialize a session using Amazon IAM
iam = boto3.client('iam')

# List all IAM users
users = iam.list_users()

for user in users['Users']:
    user_name = user['UserName']
    # List inline policies for each user
    inline_policies = iam.list_user_policies(UserName=user_name)
    
    if inline_policies['PolicyNames']:
        print(f"User {user_name} has inline policies: {inline_policies['PolicyNames']}")
        # Take appropriate action, e.g., notify, log, or remove the inline policies

2. Azure (Azure SDK for Python)

Step 1: Install Azure Identity and Management Libraries Ensure you have the Azure Identity and Management libraries installed:

pip install azure-identity azure-mgmt-authorization

Step 2: List Users and Check for Inline Policies Use the following script to list all users and check if they have any inline policies.

from azure.identity import DefaultAzureCredential
from azure.mgmt.authorization import AuthorizationManagementClient

# Initialize credentials and client
credential = DefaultAzureCredential()
subscription_id = 'your-subscription-id'
client = AuthorizationManagementClient(credential, subscription_id)

# List all users (service principals)
users = client.service_principals.list()

for user in users:
    user_id = user.object_id
    # List role assignments for each user
    role_assignments = client.role_assignments.list_for_scope(f'/subscriptions/{subscription_id}/providers/Microsoft.Authorization/servicePrincipals/{user_id}')
    
    for role_assignment in role_assignments:
        if role_assignment.properties.role_definition_id:
            print(f"User {user.display_name} has role assignments: {role_assignment.properties.role_definition_id}")
            # Take appropriate action, e.g., notify, log, or remove the inline policies

3. GCP (Google Cloud Client Library for Python)

Step 1: Install Google Cloud IAM Library Ensure you have the Google Cloud IAM library installed:

pip install google-cloud-iam

Step 2: List Users and Check for Inline Policies Use the following script to list all users and check if they have any inline policies.

from google.cloud import iam_v1

# Initialize the IAM client
client = iam_v1.IAMClient()

# List all service accounts (users)
project_id = 'your-project-id'
service_accounts = client.list_service_accounts(name=f'projects/{project_id}')

for account in service_accounts.accounts:
    account_name = account.name
    # Get IAM policy for each service account
    policy = client.get_iam_policy(resource=account_name)
    
    for binding in policy.bindings:
        if 'serviceAccount' in binding.members:
            print(f"Service Account {account.email} has roles: {binding.role}")
            # Take appropriate action, e.g., notify, log, or remove the inline policies

Summary

AWS: Use Boto3 to list users and check for inline policies.
Azure: Use Azure SDK to list users and check for role assignments.
GCP: Use Google Cloud IAM library to list service accounts and check for IAM policies.

These scripts will help you identify users with inline policies, allowing you to take further action to prevent such configurations.

Check Cause

Using Console

Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, choose “Users”. This will display a list of all IAM users associated with the current AWS account.
Click on the name of the user you want to check for inline policies. This will open the summary page for that user.
In the “Permissions” tab, look for the “Inline Policies” section. If there are any inline policies attached to the user, they will be listed here. If this section is empty, it means the user does not have any inline policies.

Using CLI

Install and configure AWS CLI: Before you can start using AWS CLI, you need to install it on your local machine and configure it with your AWS account credentials. You can do this by running the following commands: Installation:
```
pip install awscli
```
Configuration:
```
aws configure
```
You will be prompted to provide your AWS Access Key ID, Secret Access Key, default region name, and default output format.
List all IAM users: Use the following AWS CLI command to list all IAM users in your AWS account:
```
aws iam list-users
```
This command will return a JSON object with details of all IAM users.
For each user, list all inline policies: For each IAM user, you can list all inline policies attached to that user by using the following AWS CLI command:
```
aws iam list-user-policies --user-name <username>
```
Replace <username> with the name of the IAM user. This command will return a JSON object with details of all inline policies attached to the specified IAM user.
Check for inline policies: If the list-user-policies command returns any policies, it means that the user has inline policies attached. This is a misconfiguration as users should not have inline policies. Instead, they should have managed policies which are easier to manage and provide better control over permissions.

Using Python

Install and configure AWS SDK for Python (Boto3): You need to install Boto3 in your Python environment. You can do this using pip:
```
pip install boto3
```
After installing Boto3, you need to configure it with your AWS credentials. You can do this by setting the following environment variables:
```
AWS_ACCESS_KEY_ID = 'your_access_key'
AWS_SECRET_ACCESS_KEY = 'your_secret_key'
```
Import necessary libraries and create an IAM client: You need to import Boto3 and create an IAM client to interact with AWS IAM. Here is how you can do it:
```
import boto3

# Create IAM client
iam = boto3.client('iam')
```

List all IAM users and their inline policies: You can use the list_users method to get all IAM users and the list_user_policies method to get all inline policies for each user. Here is how you can do it:

# List all users
users = iam.list_users()
for user in users['Users']:
    # List all inline policies for each user
    inline_policies = iam.list_user_policies(UserName=user['UserName'])
    if inline_policies['PolicyNames']:
        print(f"User {user['UserName']} has inline policies: {inline_policies['PolicyNames']}")

Analyze the output: The script will print the usernames of all users who have inline policies and the names of these policies. If there are no such users, the script will not print anything. This way, you can easily detect if there are any users with inline policies in your AWS account.

Remediation

Using Console

To remediate the misconfiguration “Users Should Not Have Inline Policies” in AWS using the AWS console, follow these steps:

Log in to your AWS console.
Navigate to the IAM (Identity and Access Management) service.
Click on the “Users” tab on the left-hand side of the screen.
Select the IAM user(s) with inline policies that you want to remediate.
Click on the “Permissions” tab for the selected user(s).
Scroll down to the “Inline Policies” section and click on the inline policy that you want to remove.
Click on the “Delete” button to remove the inline policy.
Repeat steps 6 and 7 for all inline policies associated with the user(s).
Once all inline policies have been removed, click on the “Groups” tab for the selected user(s).
Add the user(s) to a group that has the appropriate permissions.
Click on the “Attach Policy” button to attach the necessary policies to the group.
Review the user(s) permissions and ensure that they have the appropriate access to resources.
Save the changes.

By following these steps, you can remediate the “Users Should Not Have Inline Policies” misconfiguration in AWS using the AWS console.

Using CLI

To remediate the misconfiguration “Users Should Not Have Inline Policies” in AWS using AWS CLI, follow the below steps:

Identify the users who have inline policies attached to them. You can use the following AWS CLI command to list all the users with inline policies:
```
aws iam list-users | jq -r '.Users[].UserName' | while read user; do aws iam list-user-policies --user-name $user | jq -r ".PolicyNames[] | \"\($user) \(.),\""; done
```
This command will list all the users with their inline policies attached to them.
Once you have identified the users with inline policies, create a new IAM policy that defines the required permissions for the user.
```
aws iam create-policy --policy-name <policy-name> --policy-document file://<path-to-policy-file>
```
Replace <policy-name> with a name for your new policy and <path-to-policy-file> with the path to the policy file that defines the required permissions.
Attach the newly created policy to the user. You can use the following AWS CLI command to attach the policy to the user:
```
aws iam attach-user-policy --user-name <user-name> --policy-arn <policy-arn>
```
Replace <user-name> with the name of the user you want to attach the policy to and <policy-arn> with the ARN of the newly created policy.
Once the policy is attached, you can remove the inline policy from the user. You can use the following AWS CLI command to delete the inline policy:
```
aws iam delete-user-policy --user-name <user-name> --policy-name <policy-name>
```
Replace <user-name> with the name of the user you want to remove the inline policy from and <policy-name> with the name of the inline policy.
Repeat steps 2 to 4 for all the users with inline policies attached to them.

By following the above steps, you can remediate the misconfiguration “Users Should Not Have Inline Policies” in AWS using AWS CLI.

Using Python

To remediate the misconfiguration “Users Should Not Have Inline Policies” in AWS using Python, you can follow the below steps:

First, you need to identify the users who have inline policies attached to them. You can use the boto3 library to get the list of all users and their attached policies.

import boto3

# Create IAM client
iam = boto3.client('iam')

# Get all IAM users
users = iam.list_users()

# Loop through each user and get their attached policies
for user in users['Users']:
    policies = iam.list_user_policies(UserName=user['UserName'])
    if policies['PolicyNames']:
        print(f"User {user['UserName']} has inline policies attached to them.")

Once you have identified the users with inline policies, you can remove the policies using the delete_user_policy method.

import boto3

# Create IAM client
iam = boto3.client('iam')

# Get all IAM users
users = iam.list_users()

# Loop through each user and get their attached policies
for user in users['Users']:
    policies = iam.list_user_policies(UserName=user['UserName'])
    if policies['PolicyNames']:
        print(f"User {user['UserName']} has inline policies attached to them.")
        for policy in policies['PolicyNames']:
            iam.delete_user_policy(UserName=user['UserName'], PolicyName=policy)
        print(f"All inline policies removed for user {user['UserName']}.")

After executing the above script, all the inline policies attached to the users will be removed. You can re-run the first script to confirm that no users have inline policies attached to them anymore.

Note: It is always recommended to use managed policies instead of inline policies for better security and easier management of permissions.

Additional Reading:

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Users Should Not Have Inline Policies

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent

1. AWS (Boto3 Library)

2. Azure (Azure SDK for Python)

3. GCP (Google Cloud Client Library for Python)

Summary

Check Cause

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Documentation Index

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​How to Prevent

​1. AWS (Boto3 Library)

​2. Azure (Azure SDK for Python)

​3. GCP (Google Cloud Client Library for Python)

​Summary

​Check Cause

​Remediation

​

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent

1. AWS (Boto3 Library)

2. Azure (Azure SDK for Python)

3. GCP (Google Cloud Client Library for Python)

Summary

Check Cause

Remediation

Additional Reading: