Nowadays, cloud security is one of the most crucial parameters for users due to the increasing number of security threats. It is, therefore, necessary to take certain steps regarding IAM policies to ensure the security of your deployed AWS resources.
What is AWS IAM?
AWS IAM (Identity Access Management) is a web service that helps the users to secure, as well as, control access to their respective AWS resources. In other words, IAM is used to control who has signed in and has certain permissions to use which resources.
Inline policies Vs Managed Policy
AWS IAM inline policies are created and managed by users. Inline policies are embedded directly into a single entity (user, group or role). Inline policies are also useful if the user wants to maintain a strict one-to-one relationship between a policy and the principal entity that it is applied to. Hence, deletion of the entity or resource will result in the deletion of inline policy as well.
On the other hand, a managed policy is a standalone policy which can be attached to multiple entities. Managed policies apply only to entities and not to resources. They have their own ARN (Amazon Resource Number).
Managed policies are of two types:
- AWS managed policies and
- Customer managed policies
Which one is better and why?
It is recommended to use managed policies instead of inline policy. This is because managed policies allow reusability. Managed policies can be implemented as versions.
A new change to existing policy creates a new version which is useful to compare changes. More advantages of managed policies over inline policies include versioning and rolling back, delegating permission management, etc.
A health tip for your AWS infrastructure: You should check the limit of your IAM policies in a group regularly.
Detect accounts with AWS IAM inline policies
Centilytics provides a dedicated insight into IAM inline policies for your AWS accounts. This insight checks for all the policies in use and gives warnings if an inline policy exists in their respective account.
There can be 2 possible scenarios:
|OK||This indication pops when the corresponding account has managed policies in use.|
|CRITICAL||This indication pops when the corresponding account has AWS IAM inline policies in use.|
Description of further columns are as follows:
- Account-ID: This column shows the respective account ID of the user’s account.
- Account Name: This column shows the corresponding account name to the user’s account.
- Identifier: This column shows the ARN of your account.
- Type: This column shows the type of policy i.e. managed policy or inline policy.
- Policy Name: This column shows the name of the policy.
|Account Id||Applying the account Id filter will display data for the selected account Id.|
|Severity||Applying severity filter will display resources according to the selected severity type. This means, selecting ‘Critical’ will display all resources with critical severity. Same will be the case for Warning and Ok severity types.|
|Resource Tags||Applying resource tags filter will display those resources which have been assigned the selected resource tag. For e.g., A user has tagged some public snapshots by a resource tag named environment. Then selecting an environment from the resource tags filter will display all those resources tagged by the tag name environment.|
|Resource Tags Value||Applying resource tags value filter will display data which will have the selected resource tag value. For e.g. – Let’s say a user has tagged some resource by a tag named environment and has a value say production (environment: production).
Hence, the user can view data of all the resources which have “environment:production” tag assigned. The user can use the tag value filter only when a tag name has been provided.
|Compliance Name||Reference No.||Link|
|ISO 27001|| A.9.2.1, A.9.2.2, A.9.4.1