Control: Ensure IAM users are assigned access keys and passwords at setup

Description

This control checks whether the IAM users have access keys and passwords at setup. The control fails if the IAM users do not have access keys and passwords at setup.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.iam_user_access_keys_and_password_at_setup

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.iam_user_access_keys_and_password_at_setup --share

SQL

This control uses a named query:

select
  user_arn as resource,
  case
    -- alarm when password is enabled and the key was created within 10 seconds of the user
    when password_enabled and (extract(epoch from (access_key_1_last_rotated - user_creation_time)) < 10) then 'alarm'
    else 'ok'
  end as status,
  case
    when not password_enabled then user_name || ' password login disabled.'
    when access_key_1_last_rotated is null then user_name || ' has no access keys.'
    when password_enabled and (extract(epoch from (access_key_1_last_rotated - user_creation_time)) < 10)
      then user_name || ' has access key created during user creation and password login enabled.'
    else user_name || ' has access key not created during user creation.'
  end as reason
  , account_id
from
  aws_iam_credential_report;

Control: Ensure IAM users are assigned access keys and passwords at setup

Description

Usage

SQL

Tags