A conformance pack is a collection of AWS Config rules that can be deployed as a single entity in an AWS account and a region. This conformance pack defines AWS Identity and Access Management and is based on this AWS template. The conformance pack includes the following rules:

A premium subscription is required for this content

Items
1
Size
5.2 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  ConformancePack:
    Type: 'AWS::Config::ConformancePack'
    Properties:
      ConformancePackName: conformance-pack-iam-best-practices
      TemplateBody: |
        Resources:
          ConfigRule1:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: access-keys-rotated
              Scope:
                ComplianceResourceTypes: []
              InputParameters:
                maxAccessKeyAge: '90'
              Source:
                Owner: AWS
                SourceIdentifier: ACCESS_KEYS_ROTATED
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule2:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: iam-group-has-users-check
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::IAM::Group'
              Source:
                Owner: AWS
                SourceIdentifier: IAM_GROUP_HAS_USERS_CHECK
          ConfigRule3:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: iam-password-policy
              Scope:
                ComplianceResourceTypes: []
              InputParameters:
                RequireUppercaseCharacters: 'true'
                RequireLowercaseCharacters: 'true'
                RequireSymbols: 'true'
                RequireNumbers: 'true'
                MinimumPasswordLength: '14'
                PasswordReusePrevention: '24'
                MaxPasswordAge: '90'
              Source:
                Owner: AWS
                SourceIdentifier: IAM_PASSWORD_POLICY
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule4:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: iam-policy-no-statements-with-admin-access
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::IAM::Policy'
              Source:
                Owner: AWS
                SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS
          ConfigRule5:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: iam-root-access-key-check
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule6:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: iam-user-group-membership-check
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::IAM::User'
              Source:
                Owner: AWS
                SourceIdentifier: IAM_USER_GROUP_MEMBERSHIP_CHECK
          ConfigRule7:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: iam-user-mfa-enabled
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: IAM_USER_MFA_ENABLED
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule8:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: iam-user-no-policies-check
              Scope:
                ComplianceResourceTypes:
                  - 'AWS::IAM::User'
              Source:
                Owner: AWS
                SourceIdentifier: IAM_USER_NO_POLICIES_CHECK
          ConfigRule9:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: iam-user-unused-credentials-check
              Scope:
                ComplianceResourceTypes: []
              InputParameters:
                maxCredentialUsageAge: '90'
              Source:
                Owner: AWS
                SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule10:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: mfa-enabled-for-iam-console-access
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule11:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: root-account-hardware-mfa-enabled
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED
              MaximumExecutionFrequency: TwentyFour_Hours
          ConfigRule12:
            Type: 'AWS::Config::ConfigRule'
            Properties:
              ConfigRuleName: root-account-mfa-enabled
              Scope:
                ComplianceResourceTypes: []
              Source:
                Owner: AWS
                SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED
              MaximumExecutionFrequency: TwentyFour_Hours
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Resource Settings

EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT