Help Center
Go back to application
Help Center
Go back to application
Platform Terms Glossary
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risksApplying controls to risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainings
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explainedAuto Checks: AWS Auto Checks: GCPAuto Checks: AzureAuto Checks Integration Guide for AzureAuto Checks Integration Guide for GCP
AWS Auto Checks Detailed Explanations
Enforce MFA on the AWS Root AccountVerify CloudTrail is logging management events across all AWS regionsEnsure no IAM AWS-managed policies grant full administrative accessConfirm that Amazon GuardDuty is enabled for threat detectionEnsure the root account does not have any active access keysConfirm IAM Access Analyzer is enabled to monitor access permissionsConfigure a log metric filter and alarm for unauthorized API callsConfigure a log metric filter and alarm for root account usageEnsure customer-managed IAM policies do not grant full administrative accessPrevent IAM identities from having inline policies with unrestricted accessMaintain accurate and up-to-date AWS account contact informationRegister a valid security contact in the AWS account settingsBlock IAM Inline Policies That Enable Privilege EscalationPrevent IAM Inline Policies from Granting Full CloudTrail AccessAvoid Full KMS Access in Inline IAM PoliciesPrevent Overly Permissive Role Assumption in Custom IAM PoliciesPrevent Privilege Escalation via Customer-Managed IAM PoliciesAvoid IAM Policies Granting Full CloudTrail AccessAvoid IAM Policies Granting Unrestricted KMS AccessPrevent IAM Roles from Assigning ReadOnlyAccess Permissions to External AWS AccountsProtect IAM Service Roles from Confused Deputy Attacks Using Proper Trust PoliciesAvoid Provisioning Access Keys During Initial IAM User Creation When Console Login is EnabledDetect IAM Users with Multiple Active Access Keys and Enforce Key Rotation

Block IAM Inline Policies That Enable Privilege Escalation

Framework Reference: A.8.2 (Identity Management) Integration: AWS – IAM

Why this matters

Inline IAM policies are attached directly to users, roles, or groups and are not reused or versioned like managed policies. This makes them harder to audit and maintain. Worse, if these policies grant overly broad permissions—such as allowing the creation of new roles or assignment of privileges—they can be exploited for privilege escalation.

Privilege escalation enables attackers to elevate their access rights in your AWS environment. This can lead to full compromise of accounts and services if not properly managed.

What this check does

This Auto Check scans all IAM inline policies for patterns that indicate potential privilege escalation, such as:

Use of wildcard actions like "Action": "*"

Permissions to modify IAM roles, policies, or access keys

Lack of conditions limiting sensitive operations

If such policies are detected, the check will fail.

How to fix it

From the AWS Console

Sign in to the IAM Console

In the navigation pane, choose Users, Roles, or Groups

For each identity, review the Inline Policies section

Open each inline policy and inspect the permissions

Look for broad statements like Effect: Allow, Action: *, or risky permissions (e.g., iam:PassRole, iam:CreatePolicy)

Delete or replace these policies with managed ones that follow least privilege principles

From the AWS CLI

You can list and detach inline policies using:

aws iam list-user-policies --user-name <user_name> aws iam delete-user-policy --user-name <user_name> --policy-name <policy_name>

Repeat similarly for groups and roles.

Best Practices

Avoid inline policies entirely if possible; use managed policies instead

Apply least privilege: grant only the permissions required for the task

Regularly audit IAM policies across all accounts and regions

Use policy conditions to limit access by IP, service, or resource

Further Resources

AWS IAM Best Practices

Managed vs Inline Policies

IAM CLI Reference

Was this article helpful?

Powered by Product Fruits