Policy: AWS > CIS v1.4 > 1 - Identity and Access Management

Targets

This policy targets the following resource types:

• AWS > Account

Primary Policy

This policy is used with the following primary policy:

• AWS > CIS v1.4

Related Policies

• 1.01 - Maintain current contact details (Manual)
• 1.02 - Ensure security contact information is registered (Manual)
• 1.03 - Ensure security questions are registered in the AWS account (Manual)
• 1.04 - Ensure no 'root' user account access key exists (Automated)
• 1.05 - Ensure MFA is enabled for the 'root' user account (Automated)
• 1.06 - Ensure hardware MFA is enabled for the 'root' user account (Automated)
• 1.07 - Eliminate use of the 'root' user for administrative and daily tasks (Automated)
• 1.08 - Ensure IAM password policy requires minimum length of 14 or greater (Automated)
• 1.09 - Ensure IAM password policy prevents password reuse (Automated)
• 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Automated)
• 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password (Manual)
• 1.12 - Ensure credentials unused for 45 days or greater are disabled (Automated)
• 1.13 - Ensure there is only one active access key available for any single IAM user (Automated)
• 1.14 - Ensure access keys are rotated every 90 days or less (Automated)
• 1.15 - Ensure IAM Users Receive Permissions Only Through Groups (Automated)
• 1.16 - Ensure IAM policies that allow full "*:*" administrative privileges are not attached (Automated)
• 1.17 - Ensure a support role has been created to manage incidents with AWS Support (Automated)
• 1.18 - Ensure IAM instance roles are used for AWS resource access from instances (Manual)
• 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed (Automated)
• 1.20 - Ensure that IAM Access analyzer is enabled for all regions (Automated)
• 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments (Manual)
• Maximum Attestation Duration

Controls

Setting this policy configures these controls:

• AWS > CIS v1.4 > 1 - Identity and Access Management > 1.01 - Maintain current contact details (Manual)
• AWS > CIS v1.4 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered (Manual)
• AWS > CIS v1.4 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account (Manual)
• AWS > CIS v1.4 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists (Automated)
• AWS > CIS v1.4 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account (Automated)
• AWS > CIS v1.4 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account (Automated)
• AWS > CIS v1.4 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks (Automated)
• AWS > CIS v1.4 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater (Automated)
• AWS > CIS v1.4 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse (Automated)
• AWS > CIS v1.4 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Automated)
• AWS > CIS v1.4 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password (Manual)
• AWS > CIS v1.4 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled (Automated)
• AWS > CIS v1.4 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user (Automated)
• AWS > CIS v1.4 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less (Automated)
• AWS > CIS v1.4 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups (Automated)
• AWS > CIS v1.4 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full "*:*" administrative privileges are not attached (Automated)
• AWS > CIS v1.4 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support (Automated)
• AWS > CIS v1.4 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances (Manual)
• AWS > CIS v1.4 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed (Automated)
• AWS > CIS v1.4 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions (Automated)
• AWS > CIS v1.4 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments (Manual)

Policy Specification

string

Per AWS > CIS v1.4

Category

• CIS

In Your Workspace

• Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/cis

Policy Type URI

tmod:@turbot/aws-cisv1-4#/policy/types/s01

GraphQL

query policyType(id: "tmod:@turbot/aws-cisv1-4#/policy/types/s01") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/aws-cisv1-4#/policy/types/s01'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/aws-cisv1-4#/policy/types/s01'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/aws-cisv1-4#/policy/types/s01"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/aws-cisv1-4#/policy/types/s01"