Policy: AWS > CIS v3.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full "*:*" administrative privileges are not attached
Configures auditing against a CIS Benchmark item.
Level: 1
IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege - that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.
Note: This control does not evaluate AWS managed IAM policies since they are not available in Turbot CMDB.
Targets
This policy targets the following resource types:
Primary Policy
This policy is used with the following primary policy:
Controls
Setting this policy configures these controls:
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full "*:*" administrative privileges are not attached
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances
Policy Specification
Schema Type | |
|---|---|
Default | |
Valid Values [YAML] |
|
Category
In Your Workspace
Developers
- tmod:@turbot/cis#/control/categories/v0704
- tmod:@turbot/aws-cisv3-0#/policy/types/r0116
- turbot graphql policy-type --id "tmod:@turbot/aws-cisv3-0#/policy/types/r0116"
- turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/aws-cisv3-0#/policy/types/r0116"
Get Policy TypeGet Policy Settings
Category URI
Policy Type URI
GraphQL
CLI