Risk Level: Low
Cloud Entity: Amazon Elastic Container Service
CloudGuard Rule ID: D9.AWS.IAM.47
EcsService should not have role.inlinePolicies
For Each ECS Service with inline policies perform the following steps:
- In the IAM console, select Users from the navigation pane
- Select Permissions
- Remove any policies attached directly to the user (these are inline policies), and replace them with equivalent managed policies (in the Policies page) that are assigned to users, groups or roles.
From Command Line
- Fetch the IAM group inline policies, run following get-group-policy command:
aws iam get-group- --group-name PUT_GROUP_NAME --policy-name PUT_POLICY_NAME
Above command will give inline policy document requested. Create a JSON file and paste the data to the Policy Document object into the JSON file then save it.
Detach the existing policies for the selected IAM group. Use following command to delete any inline policies
Note: inline policies deleted automatically when we detach it, so make sure to save these policies before detaching.
aws iam delete-group-policy --group-name PUT_GROUP_NAME --policy-name PUT_POLICY_NAME
Amazon Elastic Container Service (Amazon ECS) is a highly scalable, high-performance container orchestration service that supports Docker containers and allows you to easily run and scale containerized applications on AWS. Amazon ECS eliminates the need for you to install and operate your own container orchestration software, manage and scale a cluster of virtual machines, or schedule containers on those virtual machines.
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS NIST 800-53 Rev 5
Updated 6 months ago