Skip to main content

πŸ›‘οΈ AWS IAM User has inline or directly attached policies🟒

  • Contextual name: πŸ›‘οΈ User has inline or directly attached policies🟒
  • ID: /ce/ca/aws/iam/delete-user-inline-or-directly-attached-policies
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-4157c58a1

Description​

Open File

Description​

IAM users are granted access to services, functions, and data through IAM policies. There are four ways to define policies for a user:

  1. Edit the user policy directly, aka an inline, or user, policy.
  2. Attach a policy directly to a user.
  3. Add the user to an IAM group that has an attached policy.
  4. Add the user to an IAM group that has an inline policy.

Only the third implementation is recommended.

Rationale​

Assigning IAM policy only through groups unifies permissions management to a single, flexible layer consistent with organizational functional roles. By unifying permissions management, the likelihood of excessive permissions is reduced.

Audit​

Perform the following to determine if an inline policy is set or a policy is directly attached to users:

  1. Run the following to get a list of IAM users:
aws iam list-users --query 'Users[*].UserName' --output text
  1. For each user returned, run the following command to determine if any policies are attached to them:
aws iam list-attached-user-policies --user-name <iam_user>

... [see more](description.md)

Remediation​

Open File

Remediation​

Perform the following to create an IAM group and assign a policy to it:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, click Groups and then click Create New Group.
  3. In the Group Name box, type the name of the group and then click Next Step .
  4. In the list of policies, select the check box for each policy that you want to apply to all members of the group. Then click Next Step.
  5. Click Create Group.

Perform the following to add a user to a given group:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, click Groups.
  3. Select the group to add a user to.
  4. Click Add Users To Group.
  5. Select the users to be added to the group.
  6. Click Add Users.

Perform the following to remove a direct association between a user and policy:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 1 Identity and access management controls would ideally ensure access to information assets is only granted where a valid business need exists, and only for as long as access is required. Access is typically granted to users, special purpose system accounts, and information assets such as services and other software.33no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 4 Regulated entities would typically put in place processes to ensure that identities and credentials are issued, managed, verified, revoked and audited for authorised devices, users and software/processes.88no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 16c information security operations and administration;44no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.3537no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 47c segregation of duty controls which prevent personnel from deploying their own software changes to production;55no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό b. access to, and configuration of, information assets is restricted to the minimum required to achieve business objectives. This is typically referred to as the principle of β€˜least privilege’ and aims to reduce the number of attack vectors that can be used to compromise information security;33no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό h. segregation of duties is enforced through appropriate allocation of roles and responsibilities. This reduces the potential for the actions of a single individual to compromise information security;33no data
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [IAM.2] IAM users should not have IAM policies attached11no data
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services1no data
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό COST02-BP04 Implement groups and roles3no data
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό SEC03-BP01 Define access requirements1no data
πŸ’Ό CIS AWS v1.2.0 β†’ πŸ’Ό 1.16 Ensure IAM policies are attached only to groups or roles11no data
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 1.15 Ensure IAM Users Receive Permissions Only Through Groups11no data
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 1.15 Ensure IAM Users Receive Permissions Only Through Groups11no data
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 1.15 Ensure IAM Users Receive Permissions Only Through Groups - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 1.15 Ensure IAM Users Receive Permissions Only Through Groups - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 1.15 Ensure IAM Users Receive Permissions Only Through Groups - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 1.15 Ensure IAM users receive permissions only through groups (Automated)1no data
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 1.15 Ensure IAM users receive permissions only through groups (Automated)1no data
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 1.14 Ensure IAM users receive permissions only through groups (Automated)1no data
πŸ’Ό CIS AWS v6.0.0 β†’ πŸ’Ό 2.14 Ensure IAM users receive permissions only through groups (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό User Account Management19no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2 Account Management (L)(M)(H)10838no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)18no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(7) Privileged User Accounts (M)(H)67no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3768no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-5 Separation of Duties (M)(H)15no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)81157no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(1) Authorize Access to Security Functions (M)(H)44no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(2) Non-privileged Access for Nonsecurity Functions (M)(H)15no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(3) Network Access to Privileged Commands (H)12no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(7) Review of User Privileges (M)(H)22no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(10) Prohibit Non-privileged Users from Executing Privileged Functions (M)(H)14no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)61432no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-2 Account Management (L)(M)(H)4no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)68no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)132no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2 Account Management (L)(M)(H)938no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)18no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(7) Privileged User Accounts (M)(H)7no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)68no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-5 Separation of Duties (M)(H)15no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)657no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(1) Authorize Access to Security Functions (M)(H)4no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(2) Non-privileged Access for Nonsecurity Functions (M)(H)5no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(7) Review of User Privileges (M)(H)2no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(10) Prohibit Non-privileged Users from Executing Privileged Functions (M)(H)4no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)432no data
πŸ’Ό GDPR β†’ πŸ’Ό Art. 25 Data protection by design and by default1010no data
πŸ’Ό GDPR β†’ πŸ’Ό Art. 32 Security of processing55no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.2.2 User access provisioning44no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.3 Segregation of duties22no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.15 Access control1431no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.18 Access rights46no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.2 Privileged access rights710no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.3 Information access restriction1024no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-1: The network is monitored to detect potential cybersecurity events1863no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events2026no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1934no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1756no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions413no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)1923no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4791no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events145no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events85no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization42no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions13no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-03: Users, services, and hardware are authenticated53no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties116no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected148no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected125no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected142no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage95no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AC-2 ACCOUNT MANAGEMENT1336no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AC-5 SEPARATION OF DUTIES34no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AC-6 LEAST PRIVILEGE1027no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION411no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2 Account Management132037no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(1) Account Management _ Automated System Account Management418no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3 Access Enforcement15540no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(7) Access Enforcement _ Role-based Access Control14no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control13no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-5 Separation of Duties15no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6 Least Privilege102350no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6(1) Least Privilege _ Authorize Access to Security Functions22no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6(2) Least Privilege _ Non-privileged Access for Nonsecurity Functions45no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6(3) Least Privilege _ Network Access to Privileged Commands2no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6(10) Least Privilege _ Prohibit Non-privileged Users from Executing Privileged Functions3no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-9(4) Protection of Audit Information _ Access by Subset of Privileged Users22no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 7.2.1 Coverage of all system components.7no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.7no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.7no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-4 Identifies and Authenticates Users46no data