Help Center
Go back to application
Help Center
Go back to application
Platform Terms Glossary
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risksApplying controls to risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainings
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explained
Auto Checks Detailed Explanation
Enforce MFA on the AWS Root AccountVerify CloudTrail is logging management events across all AWS regionsEnsure no IAM AWS-managed policies grant full administrative accessConfirm that Amazon GuardDuty is enabled for threat detectionEnsure the root account does not have any active access keysConfirm IAM Access Analyzer is enabled to monitor access permissionsConfigure a log metric filter and alarm for unauthorized API callsConfigure a log metric filter and alarm for root account usageEnsure customer-managed IAM policies do not grant full administrative accessPrevent IAM identities from having inline policies with unrestricted accessMaintain accurate and up-to-date AWS account contact informationRegister a valid security contact in the AWS account settingsBlock IAM Inline Policies That Enable Privilege EscalationPrevent IAM Inline Policies from Granting Full CloudTrail AccessAvoid Full KMS Access in Inline IAM PoliciesPrevent Overly Permissive Role Assumption in Custom IAM PoliciesPrevent Privilege Escalation via Customer-Managed IAM PoliciesAvoid IAM Policies Granting Full CloudTrail AccessAvoid IAM Policies Granting Unrestricted KMS AccessPrevent IAM Roles from Assigning ReadOnlyAccess Permissions to External AWS AccountsProtect IAM Service Roles from Confused Deputy Attacks Using Proper Trust PoliciesAvoid Provisioning Access Keys During Initial IAM User Creation When Console Login is EnabledDetect IAM Users with Multiple Active Access Keys and Enforce Key Rotation

Prevent IAM identities from having inline policies with unrestricted access

Framework Reference: A.8.2 (Privileged Access Rights) Integration: AWS – IAM

Why this matters

Inline IAM policies are directly attached to users, roles, or groups. Unlike managed policies, they are harder to audit and reuse, and often introduce overly broad permissions without oversight. If an inline policy grants unrestricted access using "Action": "*", it effectively gives full admin rights—violating the principle of least privilege.

This check ensures that inline policies do not introduce unnecessary risk and encourages use of managed policies for better control and visibility.

What this check does

This check evaluates all IAM users, roles, and groups with attached inline policies and verifies whether any of those policies contain:

"Effect": "Allow"

"Action": "*"

"Resource": "*"

It passes if no inline policies grant full admin access. It fails if any inline policy allows unrestricted access.

How to fix it

From the AWS Console

Sign in to the IAM Console

Go to Users, Groups, or Roles

Select each identity and scroll to the Inline Policies section

Review the inline policy document

If the policy grants "Action": "*" and "Resource": "*", click Delete

Replace it with a managed policy that only grants necessary permissions

From the AWS CLI

You can list and evaluate inline policies using these commands:

# List inline policies for a user aws iam list-user-policies --user-name <user-name> # Delete an inline policy aws iam delete-user-policy --user-name <user-name> --policy-name <policy-name>

Repeat for list-group-policies and list-role-policies if needed.

Best Practices

Prefer managed policies over inline policies for easier governance

Always design policies based on specific job functions

Use policy simulation tools to test for over-permissioning before deployment

Exceptions

There are no widely accepted exceptions to this rule. In rare edge cases, a tightly scoped inline policy may be allowed temporarily, but this should be clearly documented and removed after use.

Further Resources

AWS IAM Best Practices

Inline vs. Managed Policies

AWS CLI IAM Commands

Was this article helpful?

Powered by Product Fruits