Control: AWS > CIS v2.0 > 1 - Identity and Access Management
This section contains recommendations for configuring identity and access management related options.
Primary Policies
The following policies can be used to configure this control:
- 1 - Identity and Access Management > 1.01 - Maintain current contact details
- 1 - Identity and Access Management > 1.01 - Maintain current contact details > Attestation
- 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered
- 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account
- 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account > Attestation
- 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists
- 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account
- 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account
- 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks
- 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater
- 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse
- 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
- 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password
- 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled
- 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user
- 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less
- 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups
- 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full "*:*" administrative privileges are not attached
- 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support
- 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances
- 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
- 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions
- 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
- 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments > Attestation
- 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted
- 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted > Attestation
- 1 - Identity and Access Management
- 1 - Identity and Access Management > Maximum Attestation Duration
Category
In Your Workspace
Developers
- tmod:@turbot/aws-cisv2-0#/control/types/s01
- tmod:@turbot/cis#/control/categories/cis
- turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-cisv2-0#/control/types/s01"
Get Controls
Control Type URI
Category URI
GraphQL
CLI