Description:

An inline policy is a policy that's embedded in an IAM identity (a user, group, or role). That is, the policy is an inherent part of the identity. You can create a policy and embed it in an identity, either when you create the identity or later.

The following diagram illustrates inline policies. Each policy is an inherent part of the user, group, or role. Notice that two roles include the same policy (the DynamoDB-books-app policy), but they are not sharing a single policy; each role has its own copy of the policy.

Rationale:

Inline policies are useful if you want to maintain a strict one-to-one relationship between a policy and the identity that it's applied to. Defining access permissions for your IAM groups using managed policies can offer multiple benefits, such as reusability, versioning, rollback, automatic updates, a larger policy size, and fine-grained control over your policies assignment. a config rule that checks that the inline policy feature is not in use. The rule is non-compliant if an AWS Identity and Access Management (IAM) user, IAM role, or IAM group has any inline policy.

        Diagram of inline policies

Impact:

When you change a customer-managed policy, the changed policy doesn't overwrite the existing policy. Instead, IAM creates a new version of the managed policy. IAM stores up to five versions of your customer-managed policies. You can use policy versions to revert a policy to an earlier version if you need to

Default Value:

Policies let you specify who has access to AWS resources and what actions they can perform on those resources. Every IAM user starts with no permissions. In other words, by default, users can do nothing, not even view their own access keys


Pre-Requisite:

  • Must have a user group with the required permissions

Remediation

Test Plan:

First, we want to  determine if your IAM groups have any inline policies attached or not,

01: Sign into the AWS Management Console.

02: Navigate to the IAM dashboard at https://console.aws.amazon.com/iam/.

03: On the left navigation panel, choose User Groups. 

04: Select the group that you want to examine.

05: On the IAM group configuration page, select the Permissions tab. 

06: Inside the Inline Policies section, search for any existing inline policies. If one or more policies are listed, 

In the type, if you notice customer-inline, then it's correct; otherwise, follow the implementation steps. 

CLI Commands

To know about the policy

 aws iam get-group-policy
--group-name <value>
--policy-name <value>

Implementation Steps:

Step 01: Sign into the AWS Management Console.

Step 02: Navigate to the IAM dashboard at https://console.aws.amazon.com/iam/.

Step 03: In the left navigation panel, choose User Groups.

Step 04:Select the IAM group that has inline policies attached (see Audit section) and click on the group name to access its configuration page. 

Step 05:On the IAM group configuration page, select the Permissions tab.

Step 06: Click on add permissions.

Step 07: Click on create Inline Policy.

Step 08: Select the service you want  to add 

Step 09: Choose the Action which you want.

Step 10: Click on the Resources that you want to specify

Step 11: Click on Review Policy

Step 12: Provide the name of the policy

Step 13: Click on create policy

CLI Commands

To create the policy

aws iam create-policy
--policy-name s3-bucket-management-policy
--policy-document file://s3-bucket-management-policy.json

To attach the policy to a group

aws iam attach-group-policy
--policy-arn arn:aws:iam::123456789012:policy/s3-bucket-management-policy
--group-name aws-s3-managers
Back out Plan:

Step 01: Sign into the AWS Management Console.

Step 02: Navigate to the IAM dashboard at https://console.aws.amazon.com/iam/.

Step 03: In the left navigation panel, choose User Groups.

Step 04: Select the IAM group that has inline policies attached (see Audit section) and click on the group name to access its configuration page.

Step 05: On the IAM group configuration page, select the Permissions tab.

Step 06: Select the policy and click on remove.

CLI Commands

To detach the policy from the user group


 aws iam detach-group-policy
--group-name <value>
--policy-arn <value>

Reference:

Managed policies and inline policies - AWS Identity and Access Management 

iam — AWS CLI 1.27.94 Command Reference 

create-policy — AWS CLI 1.27.91 Command Reference 

get-group-policy — AWS CLI 1.27.90 Command Reference