AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Users Should Not Have Inline Policies
More Info:
IAM users should not have Inline policies. It is recommended that IAM policies be applied directly to groups and roles but not users.
Risk Level
Low
Address
Security
Compliance Standards
HIPAA, GDPR, CISAWS, CBP, NIST, SOC2, PCIDSS, HITRUST, NISTCSF
Triage and Remediation
Remediation
To remediate the misconfiguration “Users Should Not Have Inline Policies” in AWS using the AWS console, follow these steps:
-
Log in to your AWS console.
-
Navigate to the IAM (Identity and Access Management) service.
-
Click on the “Users” tab on the left-hand side of the screen.
-
Select the IAM user(s) with inline policies that you want to remediate.
-
Click on the “Permissions” tab for the selected user(s).
-
Scroll down to the “Inline Policies” section and click on the inline policy that you want to remove.
-
Click on the “Delete” button to remove the inline policy.
-
Repeat steps 6 and 7 for all inline policies associated with the user(s).
-
Once all inline policies have been removed, click on the “Groups” tab for the selected user(s).
-
Add the user(s) to a group that has the appropriate permissions.
-
Click on the “Attach Policy” button to attach the necessary policies to the group.
-
Review the user(s) permissions and ensure that they have the appropriate access to resources.
-
Save the changes.
By following these steps, you can remediate the “Users Should Not Have Inline Policies” misconfiguration in AWS using the AWS console.
To remediate the misconfiguration “Users Should Not Have Inline Policies” in AWS using AWS CLI, follow the below steps:
-
Identify the users who have inline policies attached to them. You can use the following AWS CLI command to list all the users with inline policies:
aws iam list-users | jq -r '.Users[].UserName' | while read user; do aws iam list-user-policies --user-name $user | jq -r ".PolicyNames[] | \"\($user) \(.),\""; done
This command will list all the users with their inline policies attached to them.
-
Once you have identified the users with inline policies, create a new IAM policy that defines the required permissions for the user.
aws iam create-policy --policy-name <policy-name> --policy-document file://<path-to-policy-file>
Replace
<policy-name>
with a name for your new policy and<path-to-policy-file>
with the path to the policy file that defines the required permissions. -
Attach the newly created policy to the user. You can use the following AWS CLI command to attach the policy to the user:
aws iam attach-user-policy --user-name <user-name> --policy-arn <policy-arn>
Replace
<user-name>
with the name of the user you want to attach the policy to and<policy-arn>
with the ARN of the newly created policy. -
Once the policy is attached, you can remove the inline policy from the user. You can use the following AWS CLI command to delete the inline policy:
aws iam delete-user-policy --user-name <user-name> --policy-name <policy-name>
Replace
<user-name>
with the name of the user you want to remove the inline policy from and<policy-name>
with the name of the inline policy. -
Repeat steps 2 to 4 for all the users with inline policies attached to them.
By following the above steps, you can remediate the misconfiguration “Users Should Not Have Inline Policies” in AWS using AWS CLI.
To remediate the misconfiguration “Users Should Not Have Inline Policies” in AWS using Python, you can follow the below steps:
- First, you need to identify the users who have inline policies attached to them. You can use the
boto3
library to get the list of all users and their attached policies.
import boto3
# Create IAM client
iam = boto3.client('iam')
# Get all IAM users
users = iam.list_users()
# Loop through each user and get their attached policies
for user in users['Users']:
policies = iam.list_user_policies(UserName=user['UserName'])
if policies['PolicyNames']:
print(f"User {user['UserName']} has inline policies attached to them.")
- Once you have identified the users with inline policies, you can remove the policies using the
delete_user_policy
method.
import boto3
# Create IAM client
iam = boto3.client('iam')
# Get all IAM users
users = iam.list_users()
# Loop through each user and get their attached policies
for user in users['Users']:
policies = iam.list_user_policies(UserName=user['UserName'])
if policies['PolicyNames']:
print(f"User {user['UserName']} has inline policies attached to them.")
for policy in policies['PolicyNames']:
iam.delete_user_policy(UserName=user['UserName'], PolicyName=policy)
print(f"All inline policies removed for user {user['UserName']}.")
- After executing the above script, all the inline policies attached to the users will be removed. You can re-run the first script to confirm that no users have inline policies attached to them anymore.
Note: It is always recommended to use managed policies instead of inline policies for better security and easier management of permissions.