AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Users Should Not Have Inline Policies
More Info:
IAM users should not have Inline policies. It is recommended that IAM policies be applied directly to groups and roles but not users.
Risk Level
Low
Address
Security
Compliance Standards
HIPAA, GDPR, CISAWS, CBP, NIST, SOC2, PCIDSS, HITRUST, NISTCSF
Triage and Remediation
How to Prevent
To prevent users from having inline policies in AWS IAM using the AWS Management Console, follow these steps:
-
Navigate to IAM Dashboard:
- Sign in to the AWS Management Console.
- In the navigation bar, select “Services” and then choose “IAM” to open the IAM dashboard.
-
Review User Policies:
- In the IAM dashboard, select “Users” from the navigation pane.
- Click on each user to review their permissions.
- Under the “Permissions” tab, check for any inline policies attached directly to the user.
-
Remove Inline Policies:
- For each user with an inline policy, click on the “Inline Policies” section.
- Select the inline policy and choose “Delete Policy” to remove it.
-
Use Managed Policies:
- Instead of using inline policies, attach AWS managed policies or create and attach customer-managed policies.
- Go to the “Permissions” tab for each user, click “Add permissions,” and then choose “Attach policies directly.”
- Select the appropriate managed policies and click “Next: Review” and then “Add permissions.”
By following these steps, you can ensure that users do not have inline policies, promoting better policy management and security practices.
To prevent users from having inline policies in IAM using AWS CLI, you can follow these steps:
-
Create a Managed Policy:
- Instead of using inline policies, create a managed policy that can be attached to multiple users, groups, or roles.
- Use the following command to create a managed policy:
aws iam create-policy --policy-name MyManagedPolicy --policy-document file://policy.json
-
Attach Managed Policy to Users:
- Attach the newly created managed policy to the users who need it.
- Use the following command to attach the policy to a user:
aws iam attach-user-policy --user-name UserName --policy-arn arn:aws:iam::aws:policy/MyManagedPolicy
-
List Inline Policies for Users:
- Regularly check for any inline policies attached to users to ensure compliance.
- Use the following command to list inline policies for a specific user:
aws iam list-user-policies --user-name UserName
-
Set Up IAM Policy to Restrict Inline Policies:
- Create an IAM policy that denies the creation of inline policies for users.
- Use the following command to create a policy that restricts inline policies:
aws iam create-policy --policy-name RestrictInlinePolicies --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "iam:PutUserPolicy", "iam:DeleteUserPolicy" ], "Resource": "arn:aws:iam::*:user/*" } ] }'
By following these steps, you can prevent users from having inline policies in IAM using AWS CLI.
To prevent users from having inline policies in IAM using Python scripts, you can follow these steps:
1. AWS (Boto3 Library)
Step 1: Install Boto3 Ensure you have the Boto3 library installed. You can install it using pip if you haven’t already:
pip install boto3
Step 2: List Users and Check for Inline Policies Use the following script to list all IAM users and check if they have any inline policies. If they do, you can log or take appropriate action.
import boto3
# Initialize a session using Amazon IAM
iam = boto3.client('iam')
# List all IAM users
users = iam.list_users()
for user in users['Users']:
user_name = user['UserName']
# List inline policies for each user
inline_policies = iam.list_user_policies(UserName=user_name)
if inline_policies['PolicyNames']:
print(f"User {user_name} has inline policies: {inline_policies['PolicyNames']}")
# Take appropriate action, e.g., notify, log, or remove the inline policies
2. Azure (Azure SDK for Python)
Step 1: Install Azure Identity and Management Libraries Ensure you have the Azure Identity and Management libraries installed:
pip install azure-identity azure-mgmt-authorization
Step 2: List Users and Check for Inline Policies Use the following script to list all users and check if they have any inline policies.
from azure.identity import DefaultAzureCredential
from azure.mgmt.authorization import AuthorizationManagementClient
# Initialize credentials and client
credential = DefaultAzureCredential()
subscription_id = 'your-subscription-id'
client = AuthorizationManagementClient(credential, subscription_id)
# List all users (service principals)
users = client.service_principals.list()
for user in users:
user_id = user.object_id
# List role assignments for each user
role_assignments = client.role_assignments.list_for_scope(f'/subscriptions/{subscription_id}/providers/Microsoft.Authorization/servicePrincipals/{user_id}')
for role_assignment in role_assignments:
if role_assignment.properties.role_definition_id:
print(f"User {user.display_name} has role assignments: {role_assignment.properties.role_definition_id}")
# Take appropriate action, e.g., notify, log, or remove the inline policies
3. GCP (Google Cloud Client Library for Python)
Step 1: Install Google Cloud IAM Library Ensure you have the Google Cloud IAM library installed:
pip install google-cloud-iam
Step 2: List Users and Check for Inline Policies Use the following script to list all users and check if they have any inline policies.
from google.cloud import iam_v1
# Initialize the IAM client
client = iam_v1.IAMClient()
# List all service accounts (users)
project_id = 'your-project-id'
service_accounts = client.list_service_accounts(name=f'projects/{project_id}')
for account in service_accounts.accounts:
account_name = account.name
# Get IAM policy for each service account
policy = client.get_iam_policy(resource=account_name)
for binding in policy.bindings:
if 'serviceAccount' in binding.members:
print(f"Service Account {account.email} has roles: {binding.role}")
# Take appropriate action, e.g., notify, log, or remove the inline policies
Summary
- AWS: Use Boto3 to list users and check for inline policies.
- Azure: Use Azure SDK to list users and check for role assignments.
- GCP: Use Google Cloud IAM library to list service accounts and check for IAM policies.
These scripts will help you identify users with inline policies, allowing you to take further action to prevent such configurations.