Benchmark: 7.2.5: All application and system accounts and related access privileges are assigned and managed
Description
It is important to establish the appropriate access level for application or system accounts. If such accounts are compromised, malicious users will receive the same access level as that granted to the application or system.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 7.2.5: All application and system accounts and related access privileges are assigned and managed.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_7_2_5
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_7_2_5 --share
Benchmarks
Controls
- AWS account should be part of AWS Organizations
- Backup recovery points manual deletion should be disabled
- EC2 instances should have IAM profile attached
- ECS containers should be limited to read-only access to root filesystems
- Ensure IAM policy should not grant full access to service
- IAM groups, users, and roles should not have any inline policies
- IAM AWS managed policies should be attached to IAM role
- Ensure managed IAM policies should not allow blocked actions on KMS keys
- Ensure inline policies attached to IAM users, roles, and groups should not allow blocked actions on KMS keys
- IAM policy should not have statements with admin access
- IAM policy should be in use
- IAM root user should not have access keys
- IAM user MFA should be enabled
- IAM user should not have any inline or attached policies
- IAM user credentials that have not been used in 90 days should be disabled
- Neptune DB clusters should have IAM database authentication enabled
- OpenSearch domains should have fine-grained access control enabled
- IAM authentication should be configured for RDS clusters
- RDS DB instances should have iam authentication enabled
- S3 buckets access control lists (ACLs) should not be used to manage user access to buckets
- S3 bucket policy should prohibit public access
- AWS S3 permissions granted to other AWS accounts in bucket policies should be restricted