Benchmark: 8.2.4: Addition, deletion, and modification of user IDs, authentication factors, and other identifier objects are managed
Description
It is imperative that the lifecycle of a user ID (additions, deletions, and modifications) is controlled so that only authorized accounts can perform functions, actions are auditable, and privileges are limited to only what is required.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 8.2.4: Addition, deletion, and modification of user IDs, authentication factors, and other identifier objects are managed.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_8_2_4
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_8_2_4 --share
Controls
- EC2 instances should not use key pairs in running state
- IAM groups should have at least one user
- IAM policy should be in use
- IAM root user should not have access keys
- IAM users should be in at least one group
- Ensure a log metric filter and alarm exist for usage of 'root' account