Benchmark: A3.4.1: User accounts and access privileges to inscope system components are reviewed at least once every six months to ensure user accounts and access privileges remain appropriate based on job function, and that all access is authorized
Description
Regular review of access rights helps to detect excessive access rights remaining after user job responsibilities change, system functions change, or other modifications. If excessive user rights are not revoked in due time, they may be used by malicious users for unauthorized access.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select A3.4.1: User accounts and access privileges to inscope system components are reviewed at least once every six months to ensure user accounts and access privileges remain appropriate based on job function, and that all access is authorized.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_appendix_a3_4_1
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_appendix_a3_4_1 --share
Controls
- Backup recovery points manual deletion should be disabled
- DMS replication instances should not be publicly accessible
- Amazon DocumentDB cluster snapshots should not be public
- EBS snapshots should not be publicly restorable
- ECS containers should be limited to read-only access to root filesystems
- EFS access points should enforce a root directory
- EFS access points should enforce a user identity
- EMR account public access should be blocked
- IAM groups should have at least one user
- IAM user credentials that have not been used in 90 days should be disabled
- Lambda functions should restrict public access
- Neptune DB cluster snapshots should not be public
- RDS DB instances should prohibit public access
- RDS snapshots should prohibit public access
- Redshift clusters should prohibit public access
- S3 access points should have block public access settings enabled
- Ensure MFA Delete is enabled on S3 buckets
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 public access should be blocked at account level
- S3 public access should be blocked at bucket levels
- SageMaker notebook instances should not have direct internet access
- Secrets Manager secrets that have not been used in 90 days should be removed
- SSM documents should not be public