Group With Inline Policies

This plugin guarantees that there are no inline policies for groups.

Risk Level: MEDIUM

Description: 

This plugin guarantees that there are no inline policies for groups. Over inline policies, Managed Policies are preferred by this plugin.

PingSafe strongly recommends removing inline policies attached to groups.

About the Service :

AWS ID and Access Management (IAM) allows you to securely manage access to AWS services and resources. With IAM, AWS users and groups can be established and managed and permissions used to enable access by AWS resources and prohibit them.

We can discover and adjust the rules so that only the services are accessible. We can thus adhere better to the less privileged principle.

Impact : 

In case we are using inline policies(embedded policies) instead of managed policies, it would be difficult to manage the access permission to the AWS account.

Steps to reproduce :

  1. Sign-in to AWS management console.
  2. Navigate to the “IAM” dashboard.
    https://console.aws.amazon.com/iamv2/ 
  3. Select “User Groups” in the left panel and click on the group you want to examine.
  4. In the “Permissions”  tab select an inline policy to examine under “Inline policy”.
  5. If one or more inline policies are listed that means it is not following the best practices.
  6. Repeat the steps for more such groups.

Steps for remediation :

  1. Sign-in to AWS management console.
  2. Navigate to the “IAM” dashboard.
    https://console.aws.amazon.com/iamv2/ 
  3. Select “User Groups” in the left panel and click on the group you want to examine.
  4. In the “Permissions”  tab select an inline policy to examine under “Inline policy”.
  5. Click on a link to each Show policy and copy each policy document in a text file under the “Inline Policies” section. Click on the “Remove policy” link for each inline policy to delete the policies from the group configuration once the available policies have been copied.
  6. Choose “Policies” from the left navigation panel and click “Create Policy” from the top menu of the IAM dashboard.
  7. Choose to build your own policy on the Creating Policies page, by selecting "Create Your Own Policy".
  8. Enter a name for your new managed policy in the “Policy Name” box, enter a short description for the policy in the “Description” textbox, paste the inline policy content copied in the “Policy Document” textbox, and Click Validate Policy button to validate the policy then click Create Policy to save it, on the "Review Policy" page.
  9. In "Groups", click on the selected IAM group name to access its configuration page and then select the "Permissions" tab and click the "Attach Policy" button to attach the new managed policy created earlier.
  10. Choose from the filter menu and choose the newly generated policy "Customer Managed Policies".
  11. To attach the selected policy to IAM group Click "Attach Policy".
  12. Repeat the steps for other groups with Inline policies.

References: