Benchmark: BP06 Manage access based on lifecycle
Description
Integrate access controls with operator and application lifecycle and your centralized federation provider. For example, remove a user's access when they leave the organization or change roles. AWS RAM, access to shared resources is automatically granted or revoked as accounts are moved in and out of the Organization or Organization Unit with which they are shared. This helps ensure that resources are only shared with the accounts that you intend.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-well-architectedStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select BP06 Manage access based on lifecycle.
Run this benchmark in your terminal:
powerpipe benchmark run aws_well_architected.benchmark.well_architected_framework_sec03_bp06Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_well_architected.benchmark.well_architected_framework_sec03_bp06 --shareControls
- IAM user credentials that have not been used in 90 days should be disabled
- DMS replication instances should not be publicly accessible
- Log group retention period should be at least 365 days
- CodeBuild projects should not be unused for 90 days or greater
- VPC EIPs should be associated with an EC2 instance or ENI
- ECR repositories should have lifecycle policies configured
- Ensure IAM password policy expires passwords within 90 days or less