You must be logged in to view saved presets
Conformance Packs
Operational Best Practices for AWS Identity and Access Management
A conformance pack is a collection of AWS Config rules that can be deployed as a single entity in an AWS account and a region. This conformance pack defines AWS Identity and Access Management and is based on this AWS template. The conformance pack includes the following rules:
A premium subscription is required for this content
Items
1
Size
5.2 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
ConformancePack:
Type: 'AWS::Config::ConformancePack'
Properties:
ConformancePackName: conformance-pack-iam-best-practices
TemplateBody: |
Resources:
ConfigRule1:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: access-keys-rotated
Scope:
ComplianceResourceTypes: []
InputParameters:
maxAccessKeyAge: '90'
Source:
Owner: AWS
SourceIdentifier: ACCESS_KEYS_ROTATED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule2:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-group-has-users-check
Scope:
ComplianceResourceTypes:
- 'AWS::IAM::Group'
Source:
Owner: AWS
SourceIdentifier: IAM_GROUP_HAS_USERS_CHECK
ConfigRule3:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-password-policy
Scope:
ComplianceResourceTypes: []
InputParameters:
RequireUppercaseCharacters: 'true'
RequireLowercaseCharacters: 'true'
RequireSymbols: 'true'
RequireNumbers: 'true'
MinimumPasswordLength: '14'
PasswordReusePrevention: '24'
MaxPasswordAge: '90'
Source:
Owner: AWS
SourceIdentifier: IAM_PASSWORD_POLICY
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule4:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-policy-no-statements-with-admin-access
Scope:
ComplianceResourceTypes:
- 'AWS::IAM::Policy'
Source:
Owner: AWS
SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS
ConfigRule5:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-root-access-key-check
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule6:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-user-group-membership-check
Scope:
ComplianceResourceTypes:
- 'AWS::IAM::User'
Source:
Owner: AWS
SourceIdentifier: IAM_USER_GROUP_MEMBERSHIP_CHECK
ConfigRule7:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-user-mfa-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: IAM_USER_MFA_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule8:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-user-no-policies-check
Scope:
ComplianceResourceTypes:
- 'AWS::IAM::User'
Source:
Owner: AWS
SourceIdentifier: IAM_USER_NO_POLICIES_CHECK
ConfigRule9:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: iam-user-unused-credentials-check
Scope:
ComplianceResourceTypes: []
InputParameters:
maxCredentialUsageAge: '90'
Source:
Owner: AWS
SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule10:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: mfa-enabled-for-iam-console-access
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule11:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: root-account-hardware-mfa-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
ConfigRule12:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: root-account-mfa-enabled
Scope:
ComplianceResourceTypes: []
Source:
Owner: AWS
SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED
MaximumExecutionFrequency: TwentyFour_Hours
Parameters: {}
Metadata: {}
Conditions: {}
© 2024 asecurecloud. All rights reserved.