Benchmark: 7.2.2: Access is assigned to users, including privileged users
Description
Assigning least privileges helps prevent users without sufficient knowledge about the application from incorrectly or accidentally changing application configuration or altering its security settings. Enforcing least privilege also helps to minimize the scope of damage if an unauthorized person gains access to a user ID.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 7.2.2: Access is assigned to users, including privileged users.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_7_2_2
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_7_2_2 --share
Controls
- AWS account should be part of AWS Organizations
- Backup recovery points manual deletion should be disabled
- CodeBuild project environments should not have privileged mode enabled
- EC2 instances should have IAM profile attached
- ECS containers should run as non-privileged
- ECS containers should be limited to read-only access to root filesystems
- ECS task definitions should not use root user.
- Ensure IAM policy should not grant full access to service
- IAM groups, users, and roles should not have any inline policies
- IAM AWS managed policies should be attached to IAM role
- Ensure managed IAM policies should not allow blocked actions on KMS keys
- Ensure inline policies attached to IAM users, roles, and groups should not allow blocked actions on KMS keys
- IAM policy should not have statements with admin access
- IAM policy should be in use
- IAM root user should not have access keys
- IAM users should be in at least one group
- IAM user MFA should be enabled
- IAM user should not have any inline or attached policies
- IAM user credentials that have not been used in 90 days should be disabled
- Neptune DB clusters should have IAM database authentication enabled
- OpenSearch domains should have fine-grained access control enabled
- IAM authentication should be configured for RDS clusters
- RDS DB instances should have iam authentication enabled
- S3 buckets access control lists (ACLs) should not be used to manage user access to buckets
- S3 bucket policy should prohibit public access
- AWS S3 permissions granted to other AWS accounts in bucket policies should be restricted
- SageMaker notebook instances root access should be disabled