Benchmark: 8.2.2: Group, shared, or generic IDs, or other shared authentication credentials are only used when necessary on an exception basis, and are managed
Description
Group, shared, or generic (or default) IDs are typically delivered with software or operating systems—for example, root or with privileges associated with a specific function, such as an administrator.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 8.2.2: Group, shared, or generic IDs, or other shared authentication credentials are only used when necessary on an exception basis, and are managed.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_8_2_2
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_8_2_2 --share
Controls
- CodeBuild project plaintext environment variables should not contain sensitive AWS values
- EC2 instances should not use key pairs in running state
- ECS task definition containers should not have secrets passed as environment variables
- IAM groups should have at least one user
- IAM policy should be in use
- IAM root user should not have access keys
- IAM users should be in at least one group
- Ensure a log metric filter and alarm exist for usage of 'root' account
- Secrets Manager secrets should have automatic rotation enabled
- Secrets Manager secrets should be rotated within specific number of days
- Secrets Manager secrets should be rotated as per the rotation schedule
- Secrets Manager secrets that have not been used in 90 days should be removed