IAM Security

AWS security controls to help protect AWS IAM. Controls include IAM policies, Config rules, and CloudWatch events and alarms.

A policy that allows IAM users to self-manage an MFA device. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only.

A policy that allows IAM users to rotate their own access keys, signing certificates, service specific credentials, and passwords. This policy also provides the permissions necessary to complete this action progr...

A policy that allows using the policy simulator API for policies attached to a user, group, or role in the current AWS account. This policy also allows access to simulate less sensitive policies passed to the API...

A policy that allows using the policy simulator console for policies attached to a user, group, or role in the current AWS account.

Alarm if there are AWS Management Console authentication failures.

Alarm if a root user uses the account

A CloudWatch Alarm that triggers if there is API activity in the account without MFA (Multi-Factor Authentication).

Alarm if there is a Management Console sign-in without MFA.

A CloudWatch Alarm that triggers when changes are made to IAM policies.

Detect IAM policy changes and publishes change events to an SNS topic for notification.

Checks whether the account password policy for IAM users meets the specified requirements.

Checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials.

Checks whether IAM groups have at least one IAM user.

Checks whether IAM users are members of at least one IAM group.

Checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles.

A config rule that checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled.

Checks that all users have logged in at least once.

Ensure IAM policies are attached only to groups or roles.

A config rule that checks that the AWS Identity and Access Management (IAM) role is attached to all AWS managed policies specified in the list of managed policies. The rule is NON_COMPLIANT if the IAM role is not...

A config rule that checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials. The rule is NON_COMPLIANT if any virtual MFA devices are pe...

A config rule that checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if the access keys have not been rotated for more than maxAcc...

A config rule that checks whether the default version of AWS Identity and Access Management (IAM) policies do not have administrator access. If any statement has 'Effect': 'Allow' with 'Action': '*' over 'Resourc...

A config rule that checks whether the root user access key is available. The rule is COMPLIANT if the user access key does not exist.

A config rule that checks whether your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided. Re-evaluating t...

A Config rule that checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. The rule is COMPLIANT if MFA is enabled.