CloudWiki
Rules
Medium

IAM Group inline policy is over permissive

Security & Compliance
Description

IAM Group inline policy is over permissive when an IAM Group has an inline policy that grants more permissions than necessary to perform its intended function, creating a security risk by potentially allowing unauthorized access or actions. It is recommended to avoid using inline policies for IAM Groups and instead use managed policies to manage permissions. Inline policies are policies that are directly attached to an IAM Group, while managed policies are policies that are created separately and can be attached to multiple IAM Groups, roles, or users. Using managed policies provides better visibility and control over permissions and reduces the risk of over-permissive access. Therefore, it is important to ensure that IAM Groups do not have inline policies that grant more permissions than necessary.

Remediation

If an IAM group has an inline policy that is over permissive, you can take the following remediation steps:

  1. Review the existing inline policy to determine which permissions are overly permissive and which are necessary for the group members.
  2. Create a new managed policy with the necessary permissions and attach it to the group.
  3. Detach the overly permissive inline policy from the group.
  4. Review the group membership and ensure that all members still have the necessary permissions to perform their job functions.
  5. Monitor the group for any changes and periodically review the group's permissions to ensure they are still appropriate.

Note that it is generally considered a best practice to use managed policies rather than inline policies to manage permissions for IAM groups.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.