• AWS IAM

Monitoring your AWS IAM configuration and policies is vital aspects to have a secure setup. This recipe monitors several for rules and best practices recommended by AWS and industry leaders.

Security

Access Keys For Root Account
Root account has full permissions across the entire account. Root account should not have access keys. Also, it certainly shouldn't access any service. Instead, create IAM users with predefined roles.

Root Account Access Keys Rotation
Root account should not have access keys. If at all you have that, then the keys should be rotated periodically.

Root account certificates
Certificates should not be tied with root accounts.

Root account certificate rotation
Certificates tied with root accounts needs rotation.

Root account MFA
Multifactor Authentication is strongly recommended to be enabled for every account with no exceptions.

Root account password rotation
Ensure that your root account password is rotated every few days.

Minimum admins
Your AWS account should have minimum number of admins

Too many admins
Your AWS account has too many admins.

MFA on user accounts
MFA must be enabled on user accounts. AWS recommends that you configure multi-factor authentication (MFA) to help protect your AWS resources.

Access key rotation
The access keys should rotated periodically.

Certificate rotation
The certificates should be rotated periodically.

Access keys inactivity
Inactive access keys should be dropped.

User console access inactive
Users who are infrequent or do not need access to console, their account access should be cleared off.

User account service inactivity
Checks inactivity of any user on a service. Those priviledges should be removed for better security posture.

User Inline Policies
IAM users should not have Inline policies. It is recommended that IAM policies be applied directly to groups and roles but not users.

User account with multiple access keys
Multiple access keys for the same user should be avoided. There should be just 1 access key per user account.

Inactive Role
Inactive roles should be cleaned up.

Role Service Inactivity
Roles which have access to services but have not used in past several days should be looked into and cleaned up.

Role Inline policies
Role shouldn not have inline policies attached to them.

Groups without users
Empty groups should be cleaned up and should not linger around.

ELB Certificate Rotation
Ensures that you rotate your certificate before the set configurable days.

Complex Password Policy
Password policy should be complex enough so that users can set passwords which are not easy to guess and crack.

Sources

https://www.cloudanix.com/recipelist/aws/iamcompliance
http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html
https://docs.aws.amazon.com/cli/latest/reference/iam/update-access-key.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_RotateAccessKey
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html
https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

Help Us Improve!

If you have any suggestions to improve this checklist, please let us know by filling out this form.