IAM
- Ensure using AWS Account root user is avoided
- Ensure MFA is enabled for all IAM users with a console password
- Ensure credentials unused for 90 days or greater are disabled
- Ensure access keys are rotated every 90 days or less
- Ensure AWS IAM password policy has an uppercase character
- Ensure AWS IAM password policy has a lowercase character
- Ensure AWS IAM password policy has a symbol
- Ensure AWS IAM password policy has a number
- Ensure AWS IAM password policy has a minimum of 14 characters
- Ensure AWS IAM password policy does not allow password reuse
- Ensure AWS IAM password policy expires in 90 days or less
- Ensure no root account access key exists
- Ensure MFA is enabled for root account
- Ensure hardware MFA for root account is enabled
- Ensure security questions are registered in the AWS account
- Ensure IAM policies are only attached to Groups and Roles
- Ensure detailed billing is enabled
- Ensure AWS account contact details are up-to-date
- Ensure security contact information is registered
- Ensure IAM instance roles are used for AWS resource access from instances
- Ensure an IAM role has been created to manage incidents with AWS Support
- Ensure access keys are not created during initial user setup for IAM users with a console password
- Ensure IAM policies that allow full administrative privileges are not created
- Ensure access keys are rotated every 30 days or less
- Ensure access keys are rotated every 45 days or less
- Ensure active access keys are used every 90 days or less
- Ensure IAM users that are inactive for 30 days or more are deactivated
- Ensure unused IAM Users and Roles are removed
- Ensure user accounts unused for 90 days are removed
- Ensure user accounts with administrative privileges unused for 90 days are removed
- Ensure empty IAM groups are removed
- Ensure unattached policies are removed
- Ensure unused policies are detached from users
- Ensure unused policies are detached from roles
- Ensure unused policies are detached from groups
- Ensure IAM policy documents do not allow * (asterisk) as a statement's action
- Ensure IAM role allows only specific services or principals to be assumed
- Ensure AWS IAM policy does not allow assume role permission across all services
- Ensure SQS policy documents do not allow * (asterisk) as a statement's action
- Ensure AWS IAM policy does not allow full administrative privileges
- Ensure IAM policy documents do not allow * (asterisk) as a statement's action
- Ensure excessive permissions are not granted for IAM users
- Ensure excessive permissions are not granted for IAM roles
- Ensure excessive permissions are not granted for IAM groups
- Ensure excessive permissions are not granted for IAM policy
- Ensure credentials unused for 180 days or greater are disabled
- Ensure IAM policies do not allow credentials exposure for ECR
- Ensure IAM policies do not allow data exfiltration
- Ensure IAM policies do not allow permissions management / resource exposure without constraint
- Ensure IAM policies does not allow write access without constraint
- Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
- Ensure respective logs of Amazon RDS are enabled
- Ensure IAM groups include at least one IAM user
- Ensure all IAM users are members of at least one IAM group
- Ensure KMS key policy does not contain wildcard (*) principal
- Ensure IAM policies does not allow privilege escalation
- Ensure RDS database has IAM authentication enabled
- Ensure RDS cluster has IAM authentication enabled
- Ensure an IAM User does not have access to the console
- Ensure IAM configuration modifications are detected