Control: AWS > CIS v1.4 > 1 - Identity and Access Management

Primary Policies

The following policies can be used to configure this control:

• 1 - Identity and Access Management > 1.01 - Maintain current contact details (Manual)
• 1 - Identity and Access Management > 1.01 - Maintain current contact details (Manual) > Attestation
• 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered (Manual)
• 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered (Manual) > Attestation
• 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account (Manual)
• 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account (Manual) > Attestation
• 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists (Automated)
• 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account (Automated)
• 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account (Automated)
• 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks (Automated)
• 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater (Automated)
• 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse (Automated)
• 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Automated)
• 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password (Manual)
• 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled (Automated)
• 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user (Automated)
• 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less (Automated)
• 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups (Automated)
• 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full "*:*" administrative privileges are not attached (Automated)
• 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support (Automated)
• 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances (Manual)
• 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances (Manual) > Attestation
• 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed (Automated)
• 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions (Automated)
• 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments (Manual)
• 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments (Manual) > Attestation
• 1 - Identity and Access Management
• 1 - Identity and Access Management > Maximum Attestation Duration

Category

• CIS

In Your Workspace

• Controls by Resource report
• Controls by Control Type report

Developers

Control Type URI

tmod:@turbot/aws-cisv1-4#/control/types/s01

Category URI

tmod:@turbot/cis#/control/categories/cis

GraphQL

query controlType(id: "tmod:@turbot/aws-cisv1-4#/control/types/s01") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/aws-cisv1-4#/control/types/s01'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-cisv1-4#/control/types/s01"