Skip to main content

πŸ“ AWS IAM User has inline or directly attached policies 🟒

  • Contextual name: πŸ“ User has inline or directly attached policies 🟒
  • ID: /ce/ca/aws/iam/delete-user-inline-or-directly-attached-policies
  • Located in: πŸ“ AWS IAM

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-4157c58a1

Logic​

Description​

Open File

Description​

IAM users are granted access to services, functions, and data through IAM policies. There are four ways to define policies for a user:

  1. Edit the user policy directly, aka an inline, or user, policy.
  2. Attach a policy directly to a user.
  3. Add the user to an IAM group that has an attached policy.
  4. Add the user to an IAM group that has an inline policy.

Only the third implementation is recommended.

Rationale​

Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.

Audit​

Perform the following to determine if an inline policy is set or a policy is directly attached to users:

  1. Run the following to get a list of IAM users:
aws iam list-users --query 'Users[*].UserName' --output text
  1. For each user returned, run the following command to determine if any policies are attached to them:
aws iam list-attached-user-policies --user-name <iam_user>

... [see more](description.md)

Remediation​

Open File

Remediation​

Perform the following to create an IAM group and assign a policy to it:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, click Groups and then click Create New Group.
  3. In the Group Name box, type the name of the group and then click Next Step .
  4. In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click Next Step.
  5. Click Create Group.

Perform the following to add a user to a given group:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, click Groups.
  3. Select the group to add a user to.
  4. Click Add Users To Group.
  5. Select the users to be added to the group.
  6. Click Add Users.

Perform the following to remove a direct association between a user and policy:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 1 Identity and access management controls would ideally ensure access to information assets is only granted where a valid business need exists, and only for as long as access is required. Access is typically granted to users, special purpose system accounts, and information assets such as services and other software.33
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 4 Regulated entities would typically put in place processes to ensure that identities and credentials are issued, managed, verified, revoked and audited for authorised devices, users and software/processes.88
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 16c information security operations and administration;22
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.3436
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 47c segregation of duty controls which prevent personnel from deploying their own software changes to production;55
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό b. access to, and configuration of, information assets is restricted to the minimum required to achieve business objectives. This is typically referred to as the principle of β€˜least privilege’ and aims to reduce the number of attack vectors that can be used to compromise information security;33
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό h. segregation of duties is enforced through appropriate allocation of roles and responsibilities. This reduces the potential for the actions of a single individual to compromise information security;33
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [IAM.2] IAM users should not have IAM policies attached11
πŸ’Ό CIS AWS v1.2.0 β†’ πŸ’Ό 1.16 Ensure IAM policies are attached only to groups or roles11
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 1.15 Ensure IAM Users Receive Permissions Only Through Groups11
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 1.15 Ensure IAM Users Receive Permissions Only Through Groups11
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 1.15 Ensure IAM Users Receive Permissions Only Through Groups - Level 1 (Automated)11
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 1.15 Ensure IAM Users Receive Permissions Only Through Groups - Level 1 (Automated)11
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 1.15 Ensure IAM Users Receive Permissions Only Through Groups - Level 1 (Automated)11
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 1.15 Ensure IAM users receive permissions only through groups (Automated)1
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 1.15 Ensure IAM users receive permissions only through groups (Automated)1
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 1.14 Ensure IAM users receive permissions only through groups (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό User Account Management14
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2 Account Management (L)(M)(H)10931
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)16
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(7) Privileged User Accounts (M)(H)67
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3747
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)81133
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(1) Authorize Access to Security Functions (M)(H)44
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(3) Network Access to Privileged Commands (H)12
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(7) Review of User Privileges (M)(H)22
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)61420
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-2 Account Management (L)(M)(H)3
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)47
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)120
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2 Account Management (L)(M)(H)931
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)16
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(7) Privileged User Accounts (M)(H)7
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)633
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(1) Authorize Access to Security Functions (M)(H)4
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(7) Review of User Privileges (M)(H)2
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)420
πŸ’Ό GDPR β†’ πŸ’Ό Art. 25 Data protection by design and by default1010
πŸ’Ό GDPR β†’ πŸ’Ό Art. 32 Security of processing55
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.2.2 User access provisioning44
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.3 Segregation of duties22
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.15 Access control1416
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.18 Access rights46
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.2 Privileged access rights77
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.3 Information access restriction1011
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-1: The network is monitored to detect potential cybersecurity events1928
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events2124
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1922
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1735
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions48
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)1922
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4351
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events83
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events59
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization23
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions8
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-03: Users, services, and hardware are authenticated22
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties58
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected82
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected69
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected67
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage40
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AC-2 ACCOUNT MANAGEMENT1322
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AC-5 SEPARATION OF DUTIES33
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AC-6 LEAST PRIVILEGE1022
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION411
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2 Account Management131730
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(1) Account Management _ Automated System Account Management416
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3 Access Enforcement15417
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(7) Access Enforcement _ Role-based Access Control7
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control10
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6 Least Privilege102126
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6(1) Least Privilege _ Authorize Access to Security Functions22
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6(3) Least Privilege _ Network Access to Privileged Commands2
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-9(4) Protection of Audit Information _ Access by Subset of Privileged Users22
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 7.2.1 Coverage of all system components.5
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.5
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.5