Benchmark: IAM
Overview
This section contains recommendations for configuring AWS IAM resources and options.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select IAM.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.foundational_security_iam
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.foundational_security_iam --share
Controls
- 1 IAM policies should not allow full '*' administrative privileges
- 2 IAM users should not have IAM policies attached
- 3 IAM users' access keys should be rotated every 90 days or less
- 4 IAM root user access key should not exist
- 5 MFA should be enabled for all IAM users that have a console password
- 6 Hardware MFA should be enabled for the root user
- 7 Password policies for IAM users should have strong configurations
- 8 Unused IAM user credentials should be removed
- 21 IAM customer managed policies that you create should not allow wildcard actions for services