By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM Policies

By Service Protected

Configuration Packages

Strategy Guides

Other

IAM Security Controls

A collection of AWS Security controls for IAM. Controls include IAM policies, CloudWatch events and alarms for monitoring as well as Config rules. Configuration templates are available in AWS CloudFormation, AWS CLI and Terraform

IAM

Configure Access Analyzer to discover which resources in an AWS account are shared with external principals outside of the account. Access Analyzer analyzes generates findings for supported resources in the region it was enabled, with the exception of IAM resources which generates findings in each region (as IAM is a global service).

CloudFormationTerraformAWS CLI

Configuration to set an IAM password policy in an AWS account.

CloudFormationTerraformAWS CLI
Monitoring & Compliance Packages

A configuration package to monitor IAM related API activity as well as configuration compliance rules to ensure the security of AWS IAM configuration. The package includes Config Rules, CloudWatch Alarms, and CloudWatch Event Rules, and uses SNS to deliver email notifications. The package also includes configuration to enable the required AWS logging services: AWS CloudTrail, Config, and CloudWatch log groups

CloudFormationTerraform

A configuration package to monitor Root Account activity as well as configuration compliance rules to ensure the Root Account's security configuration. The package includes Config Rules for compliance and CloudWatch Alarms to track activity, and uses SNS to deliver email notifications. The package also includes configuration to enable the required AWS logging services: AWS CloudTrail, Config, and CloudWatch log groups

CloudFormationTerraform
CloudWatch Alarms

Alarm if there are AWS Management Console authentication failures.

CloudFormationTerraformAWS CLI

Alarm if a root user uses the account

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers if there is API activity in the account without MFA (Multi-Factor Authentication).

CloudFormationTerraformAWS CLI

Alarm if there is a Management Console sign-in without MFA.

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers when changes are made to IAM policies. Events include IAM policy creation/deletion/update operations as well as attaching/detaching policies from IAM users, roles or groups.

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers when changes are made to IAM users. Events include IAM user creation/deletion/update operations, updating IAM user passwords or Access Keys, as well as attaching/detaching policies from IAM users or groups.

CloudFormationTerraformAWS CLI

A CloudWatch Alarm that triggers when changes are made to IAM MFA devices (Virtual or Hardware). Events include enabling/disabling/updating MFA virtual and hardware devices in an AWS account.

CloudFormationTerraformAWS CLI
CloudWatch Events

A CloudWatch Event Rule that detects IAM policy changes and publishes change events to an SNS topic for notification. Events include IAM policy creation/deletion/update operations as well as attaching/detaching policies from IAM users, roles or groups.

CloudFormationTerraformAWS CLI

A CloudWatch Event Rule that detects changes to IAM users and groups and publishes change events to an SNS topic for notification. Events include IAM user creation/deletion/update operations, updating IAM user passwords or Access Keys, as well as attaching/detaching policies from IAM users or groups.

CloudFormationTerraformAWS CLI

A CloudWatch Event Rule that detects changes to IAM MFA devices (Virtual and Hardware) and publishes change events to an SNS topic for notification. Events include enabling/disabling/updating MFA virtual and hardware devices in an AWS account.

CloudFormationTerraformAWS CLI

A CloudWatch Event Rule that triggers on IAM Access Analyzer Findings. The Event Rule can be used to trigger notifications or remediative actions using AWS Lambda.

CloudFormationTerraformAWS CLI
Config Rule

Checks whether the account password policy for IAM users meets the specified requirements.

CloudFormationTerraformAWS CLI

Checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials.

CloudFormationTerraformAWS CLI

Checks whether IAM groups have at least one IAM user.

CloudFormationTerraformAWS CLI

Checks whether IAM users are members of at least one IAM group.

CloudFormationTerraformAWS CLI

Checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles.

CloudFormationTerraformAWS CLI

A config rule that checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled.

CloudFormationTerraformAWS CLI

A config rule that checks that the AWS Identity and Access Management (IAM) role is attached to all AWS managed policies specified in the list of managed policies. The rule is NON_COMPLIANT if the IAM role is not attached to the IAM managed policy.

CloudFormationTerraformAWS CLI

A config rule that checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials. The rule is NON_COMPLIANT if any virtual MFA devices are permitted for signing in with root credentials.

CloudFormationTerraformAWS CLI

A config rule that checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if the access keys have not been rotated for more than maxAccessKeyAge number of days.

CloudFormationTerraformAWS CLI

A config rule that checks whether the default version of AWS Identity and Access Management (IAM) policies do not have administrator access. If any statement has 'Effect': 'Allow' with 'Action': '*' over 'Resource': '*', the rule is NON_COMPLIANT.

CloudFormationTerraformAWS CLI

A config rule that checks whether the root user access key is available. The rule is COMPLIANT if the user access key does not exist.

CloudFormationTerraformAWS CLI

A config rule that checks whether your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided. Re-evaluating this rule within 4 hours of the first evaluation will have no effect on the results.

CloudFormationTerraformAWS CLI

A Config rule that checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. The rule is COMPLIANT if MFA is enabled.

CloudFormationTerraformAWS CLI

A Config rule that that none of your IAM users, groups, or roles (excluding exceptionList) have the specified policies attached

CloudFormationTerraformAWS CLI

A config rule that checks that inline policy feature is not in use. The rule is NON_COMPLIANT if an AWS Identity and Access Management (IAM) user, IAM role or IAM group has any inline policy.

CloudFormationTerraformAWS CLI

A config rule that checks whether the IAM policy ARN is attached to an IAM user, or an IAM group with one or more IAM users, or an IAM role with one or more trusted entity.

CloudFormationTerraformAWS CLI
IAM Policy

A policy that allows IAM users to self-manage an MFA device. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

CloudFormationTerraformAWS CLI

A policy that allows IAM users to rotate their own access keys, signing certificates, service specific credentials, and passwords. This policy also provides the permissions necessary to complete this action programmatically and on the console.

CloudFormationTerraformAWS CLI

A policy that allows using the policy simulator API for policies attached to a user, group, or role in the current AWS account. This policy also allows access to simulate less sensitive policies passed to the API as strings. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

CloudFormationTerraformAWS CLI

A policy that allows using the policy simulator console for policies attached to a user, group, or role in the current AWS account.

CloudFormationTerraformAWS CLI
Service Control Policy

This SCP prevents restricts the root user in an AWS account from taking any action, either directly as a command or through the console.

CloudFormationTerraformAWS CLI

This SCP restricts IAM principals from creating new IAM users or IAM Access Keys in an AWS account.

CloudFormationTerraformAWS CLI

This SCP restricts IAM principals from creating new IAM users or IAM Access Keys in an AWS account with an exception for a specified Administrator IAM role.

CloudFormationTerraformAWS CLI

This SCP restricts IAM principals in accounts from making changes to an IAM role created in an AWS account (This could be a common administrative IAM role created in all accounts in your organization).

CloudFormationTerraformAWS CLI

This SCP restricts IAM principals in accounts from making changes to an IAM role created in an AWS account except if the change was being done by that specified role(This could be a common administrative IAM role created in all accounts in your organization).

CloudFormationTerraformAWS CLI

This SCP prevents users or roles in any affected account from deleting AWS Access Analyzer in an AWS account.

CloudFormationTerraformAWS CLI
Filter by source
 
IAM
Monitoring & Compliance Packages
CloudWatch Alarms
CloudWatch Events
Config Rule
IAM Policy
Service Control Policy