Benchmark: IAM
Description
This section contains recommendations for configuring IAM resources.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select IAM.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.all_controls_iamSnapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.all_controls_iam --shareControls
- IAM Access analyzer should be enabled without findings
- Ensure that IAM Access analyzer is enabled for all regions
- Ensure IAM password policy requires a minimum length of 14 or greater
- Ensure IAM password policy requires at least one lowercase letter
- Ensure IAM password policy requires at least one number
- Ensure IAM password policy requires at least one symbol
- Ensure IAM password policy requires at least one uppercase letter
- Ensure IAM password policy prevents password reuse
- Password policies for IAM users should have strong configurations with minimum length of 8 or greater
- IAM password policies for users should have strong configurations
- Ensure IAM policy should not grant full access to service
- IAM unattached custom policy should not have statements with admin access
- IAM groups should have at least one user
- IAM groups, users, and roles should not have any inline policies
- IAM inline policy should not have administrative privileges
- IAM AWS managed policies should be attached to IAM role
- Ensure IAM password policy expires passwords within 90 days or less
- Ensure IAM policies that allow full "*:*" administrative privileges are not attached
- IAM policies should not allow full '*' administrative privileges
- IAM roles should not have any assume role policies attached
- Ensure managed IAM policies should not allow blocked actions on KMS keys
- IAM custom policy should not have overly permissive STS role assumption
- Ensure inline policies attached to IAM users, roles, and groups should not allow blocked actions on KMS keys
- IAM policy should not grant full access to cloudtrail service
- IAM policy should not grant full access to KMS service
- IAM policy should not have statements with admin access
- IAM policy should be in use
- IAM roles should not have read only access for external AWS accounts
- IAM roles should not have cross-account write access policies
- Ensure IAM role not attached with Administratoraccess policy
- IAM roles that have not been used in 60 days should be removed
- Eliminate use of the 'root' user for administrative and daily tasks
- Ensure that the root user account has MFA enabled for console access
- IAM root user hardware MFA should be enabled
- IAM root user MFA should be enabled
- IAM root user should not have access keys
- IAM Security Audit role should be created to conduct security audits
- Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
- Ensure a support role has been created to manage incidents with AWS Support
- IAM user access keys should be rotated at least every 365 days
- IAM user access keys should be rotated at least every 90 days
- Ensure IAM users with access keys unused for 45 days or greater are disabled
- Ensure IAM users are assigned access keys and passwords at setup
- IAM users with console access should have MFA enabled
- Ensure IAM users with console access unused for 45 days or greater are disabled
- Ensure access to AWSCloudShellFullAccess is restricted
- IAM users should have hardware MFA enabled
- IAM users should be in at least one group
- IAM user MFA should be enabled
- IAM user should not have any inline or attached policies
- Ensure IAM policies are attached only to groups or roles
- Ensure there is only one active access key available for any single IAM user
- Ensure credentials unused for 45 days or greater are disabled
- IAM user credentials that have not been used in 90 days should be disabled
- IAM administrator users should have MFA enabled