Benchmark: 7. Validate IAM roles
Description
As you operate your AWS accounts to iterate and build capability, you may end up creating multiple IAM roles that you discover later you don't need.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-top-10Start the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 7. Validate IAM roles.
Run this benchmark in your terminal:
powerpipe benchmark run aws_top_10.benchmark.account_security_validate_iam_rolesSnapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_top_10.benchmark.account_security_validate_iam_roles --shareControls
- Ensure that IAM Access analyzer is enabled for all regions
- IAM Access analyzer should be enabled without findings
- IAM roles should not have read only access for external AWS accounts
- IAM roles that have not been used in 60 days should be removed
- IAM role trust policies should prohibit public access