Medium

Ensure IAM Role has no inline policy

Security & Compliance
APRA
AWS Well-Architected Framework
MAS
NIST4
FedRAMP
Description

The "Ensure IAM Role has no inline policy" rule verifies that no inline policies are attached to IAM roles. An inline policy is a policy that is embedded directly into the IAM role, as opposed to a managed policy that is separate and can be attached to multiple roles. Using managed policies is recommended as it enables reusability and easier management. This rule helps to ensure that permissions are managed centrally and that any changes can be made to a managed policy and take effect across all roles that the policy is attached to, rather than making individual changes to multiple inline policies.‍

Remediation

Here are the remediation steps to ensure IAM roles have no inline policies:

  1. Log in to the AWS Management Console and navigate to the IAM service.
  2. Click on "Roles" from the left-hand menu and select the role you want to modify.
  3. Click on the "Permissions" tab and then click on the inline policy name under "Inline policies."
  4. Click on "Delete policy" and then confirm the deletion.
  5. Repeat steps 3-4 for any additional inline policies attached to the role.
  6. Click on "Policies" from the left-hand menu and select "Create policy."
  7. Select the appropriate service and actions for the policy, and define any conditions or resource restrictions as necessary.
  8. Click on "Review policy" and give the policy a name and description.
  9. Click on "Create policy."
  10. Go back to the role and click on the "Permissions" tab.
  11. Click on "Attach policies."
  12. Select the newly created managed policy from the list and click on "Attach policy."
  13. Repeat steps 6-12 for any additional policies needed for the role.

By using managed policies instead of inline policies, you can better manage and control permissions across your IAM roles, which can lead to improved security and compliance.

Enforced Resources
IAM Role
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.