Users Should Not Have Inline Policies
More Info:
IAM users should not have Inline policies. It is recommended that IAM policies be applied directly to groups and roles but not users.Risk Level
LowAddress
SecurityCompliance Standards
HIPAA, GDPR, CISAWS, CBP, NIST, SOC2, PCIDSS, HITRUST, NISTCSFTriage and Remediation
How to Prevent
Using Console
Using Console
To prevent users from having inline policies in AWS IAM using the AWS Management Console, follow these steps:
-
Navigate to IAM Dashboard:
- Sign in to the AWS Management Console.
- In the navigation bar, select “Services” and then choose “IAM” to open the IAM dashboard.
-
Review User Policies:
- In the IAM dashboard, select “Users” from the navigation pane.
- Click on each user to review their permissions.
- Under the “Permissions” tab, check for any inline policies attached directly to the user.
-
Remove Inline Policies:
- For each user with an inline policy, click on the “Inline Policies” section.
- Select the inline policy and choose “Delete Policy” to remove it.
-
Use Managed Policies:
- Instead of using inline policies, attach AWS managed policies or create and attach customer-managed policies.
- Go to the “Permissions” tab for each user, click “Add permissions,” and then choose “Attach policies directly.”
- Select the appropriate managed policies and click “Next: Review” and then “Add permissions.”
Using CLI
Using CLI
To prevent users from having inline policies in IAM using AWS CLI, you can follow these steps:
-
Create a Managed Policy:
- Instead of using inline policies, create a managed policy that can be attached to multiple users, groups, or roles.
- Use the following command to create a managed policy:
-
Attach Managed Policy to Users:
- Attach the newly created managed policy to the users who need it.
- Use the following command to attach the policy to a user:
-
List Inline Policies for Users:
- Regularly check for any inline policies attached to users to ensure compliance.
- Use the following command to list inline policies for a specific user:
-
Set Up IAM Policy to Restrict Inline Policies:
- Create an IAM policy that denies the creation of inline policies for users.
- Use the following command to create a policy that restricts inline policies:
Using Python
Using Python
To prevent users from having inline policies in IAM using Python scripts, you can follow these steps:Step 2: List Users and Check for Inline Policies
Use the following script to list all IAM users and check if they have any inline policies. If they do, you can log or take appropriate action.Step 2: List Users and Check for Inline Policies
Use the following script to list all users and check if they have any inline policies.Step 2: List Users and Check for Inline Policies
Use the following script to list all users and check if they have any inline policies.
1. AWS (Boto3 Library)
Step 1: Install Boto3 Ensure you have the Boto3 library installed. You can install it using pip if you haven’t already:2. Azure (Azure SDK for Python)
Step 1: Install Azure Identity and Management Libraries Ensure you have the Azure Identity and Management libraries installed:3. GCP (Google Cloud Client Library for Python)
Step 1: Install Google Cloud IAM Library Ensure you have the Google Cloud IAM library installed:Summary
- AWS: Use Boto3 to list users and check for inline policies.
- Azure: Use Azure SDK to list users and check for role assignments.
- GCP: Use Google Cloud IAM library to list service accounts and check for IAM policies.