Benchmark: 7.3.2: The access control system(s) is configured to enforce permissions assigned to individuals, applications, and systems based on job classification and function
Description
Restricting privileged access with an access control system reduces the opportunity for errors in the assignment of permissions to individuals, applications, and systems.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 7.3.2: The access control system(s) is configured to enforce permissions assigned to individuals, applications, and systems based on job classification and function.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_7_3_2
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_7_3_2 --share
Controls
- AWS account should be part of AWS Organizations
- Backup recovery points manual deletion should be disabled
- EC2 instances should have IAM profile attached
- ECS containers should be limited to read-only access to root filesystems
- Ensure IAM policy should not grant full access to service
- IAM groups, users, and roles should not have any inline policies
- IAM AWS managed policies should be attached to IAM role
- Ensure managed IAM policies should not allow blocked actions on KMS keys
- Ensure inline policies attached to IAM users, roles, and groups should not allow blocked actions on KMS keys
- IAM policy should not have statements with admin access
- IAM policy should be in use
- IAM root user should not have access keys
- IAM users should be in at least one group
- IAM user MFA should be enabled
- IAM user should not have any inline or attached policies
- IAM user credentials that have not been used in 90 days should be disabled
- Neptune DB clusters should have IAM database authentication enabled
- OpenSearch domains should have fine-grained access control enabled
- IAM authentication should be configured for RDS clusters
- RDS DB instances should have iam authentication enabled
- S3 buckets access control lists (ACLs) should not be used to manage user access to buckets
- S3 bucket policy should prohibit public access
- AWS S3 permissions granted to other AWS accounts in bucket policies should be restricted
- Secrets Manager secrets that have not been used in 90 days should be removed