Benchmark: 8.3.11: Where authentication factors such as physical or logical security tokens, smart cards, or certificates
Description
If multiple users can use authentication factors such as tokens, smart cards, and certificates, it may be impossible to identify the individual using the authentication mechanism.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 8.3.11: Where authentication factors such as physical or logical security tokens, smart cards, or certificates.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_8_3_11
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_8_3_11 --share
Controls
- EC2 instances should not use key pairs in running state
- IAM groups should have at least one user
- IAM policy should be in use
- IAM root user should not have access keys
- IAM users should be in at least one group
- Ensure a log metric filter and alarm exist for usage of 'root' account