AWS-IAM-Group-Inline-Policies

Severity : Medium

Description: This control ensures that IAM groups are using the managed policies and not using inline policies to control access permissions. AWS well-architect framework recommend not using inline policies as they are not reusable, hard to managed, security risks in delegating permissions and lack fine-grained control over the policies.

Remediation Steps:

Perform following to convert inline policies to managed policies :

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to IAM console.

3. In navigation pane, click User groups.

4. From the list of groups select the group reported with inline policy.

5. Select Permissions.

6. Select the name of the inline policy to remove.

7. Copy the JSON policy document for the policy.

8. In navigation, choose Policies.

9. Select Create policy and then choose the JSON.

10. Replace the existing text with saved JSON policy text, and choose Review policy.

11. Enter a name for your policy.

12. Select Create policy.

13. In navigation pane, again click User groups. From the list of groups, go back to the group reported with inline policy.

14. Select Permissions.

15. Select check box next to new policy, choose Add permissions, and then choose Attach policy.

16. Choose Next: Review, and then choose Add permissions.

17. Select check box next to the inline policy to remove and choose Remove.

Important:

Reference:

• Managed policies and inline policies - AWS Identity and Access Management

• https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#choosing-managed-or-inline