Benchmark: PR.AA-05
Description
Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select PR.AA-05.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.nist_csf_v2_pr_aa_05
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.nist_csf_v2_pr_aa_05 --share
Controls
- Ensure IAM policy should not grant full access to service
- IAM unattached custom policy should not have statements with admin access
- IAM groups, users, and roles should not have any inline policies
- IAM AWS managed policies should be attached to IAM role
- Ensure inline policies attached to IAM users, roles, and groups should not allow blocked actions on KMS keys
- IAM policy should not have statements with admin access
- IAM user access keys should be rotated at least every 90 days
- Ensure IAM users with access keys unused for 45 days or greater are disabled
- IAM users should be in at least one group
- IAM user should not have any inline or attached policies
- IAM user credentials that have not been used in 90 days should be disabled
- IAM administrator users should have MFA enabled
- Ensure a log metric filter and alarm exist for IAM policy changes