Description:
An inline policy is a policy that's embedded in an IAM identity (a user, group, or role). That is, the policy is an inherent part of the identity. You can create a policy and embed it in an identity, either when you create the identity or later.
The following diagram illustrates inline policies. Each policy is an inherent part of the user, group, or role. Notice that two roles include the same policy (the DynamoDB-books-app policy), but they are not sharing a single policy; each role has its own copy of the policy.
Rationale:
Inline policies are useful if you want to maintain a strict one-to-one relationship between a policy and the identity that it's applied to. Defining access permissions for your IAM groups using managed policies can offer multiple benefits, such as reusability, versioning, rollback, automatic updates, a larger policy size, and fine-grained control over your policies assignment. a config rule that checks that the inline policy feature is not in use. The rule is non-compliant if an AWS Identity and Access Management (IAM) user, IAM role, or IAM group has any inline policy.
Impact:
When you change a customer-managed policy, the changed policy doesn't overwrite the existing policy. Instead, IAM creates a new version of the managed policy. IAM stores up to five versions of your customer-managed policies. You can use policy versions to revert a policy to an earlier version if you need to
Default Value:
Policies let you specify who has access to AWS resources and what actions they can perform on those resources. Every IAM user starts with no permissions. In other words, by default, users can do nothing, not even view their own access keys
Pre-Requisite:
- Must have a user group with the required permissions
Remediation
Test Plan:
First, we want to determine if your IAM groups have any inline policies attached or not,
01: Sign into the AWS Management Console.
02: Navigate to the IAM dashboard at https://console.aws.amazon.com/iam/.
03: On the left navigation panel, choose User Groups.
04: Select the group that you want to examine.
05: On the IAM group configuration page, select the Permissions tab.
06: Inside the Inline Policies section, search for any existing inline policies. If one or more policies are listed,
In the type, if you notice customer-inline, then it's correct; otherwise, follow the implementation steps.
CLI Commands
To know about the policy
aws iam get-group-policy
--group-name <value>
--policy-name <value>
Implementation Steps:
Step 01: Sign into the AWS Management Console.
Step 02: Navigate to the IAM dashboard at https://console.aws.amazon.com/iam/.
Step 03: In the left navigation panel, choose User Groups.
Step 04:Select the IAM group that has inline policies attached (see Audit section) and click on the group name to access its configuration page.
Step 05:On the IAM group configuration page, select the Permissions tab.
Step 06: Click on add permissions.
Step 07: Click on create Inline Policy.
Step 08: Select the service you want to add
Step 09: Choose the Action which you want.
Step 10: Click on the Resources that you want to specify
Step 11: Click on Review Policy
Step 12: Provide the name of the policy
Step 13: Click on create policy
CLI Commands
To create the policy
aws iam create-policy
--policy-name s3-bucket-management-policy
--policy-document file://s3-bucket-management-policy.json
To attach the policy to a group
aws iam attach-group-policy
--policy-arn arn:aws:iam::123456789012:policy/s3-bucket-management-policy
--group-name aws-s3-managers
Step 01: Sign into the AWS Management Console.
Step 02: Navigate to the IAM dashboard at https://console.aws.amazon.com/iam/.
Step 03: In the left navigation panel, choose User Groups.
Step 04: Select the IAM group that has inline policies attached (see Audit section) and click on the group name to access its configuration page.
Step 05: On the IAM group configuration page, select the Permissions tab.
Step 06: Select the policy and click on remove.
CLI Commands
To detach the policy from the user group
aws iam detach-group-policy
--group-name <value>
--policy-arn <value>
Reference:
Managed policies and inline policies - AWS Identity and Access Management
iam — AWS CLI 1.27.94 Command Reference