Policy: AWS > CIS v3.0 > 1 - Identity and Access Management

Targets

This policy targets the following resource types:

• AWS > Account

Primary Policy

This policy is used with the following primary policy:

• AWS > CIS v3.0

Related Policies

• 1.01 - Maintain current contact details
• 1.02 - Ensure security contact information is registered
• 1.03 - Ensure security questions are registered in the AWS account
• 1.04 - Ensure no 'root' user account access key exists
• 1.05 - Ensure MFA is enabled for the 'root' user account
• 1.06 - Ensure hardware MFA is enabled for the 'root' user account
• 1.07 - Eliminate use of the 'root' user for administrative and daily tasks
• 1.08 - Ensure IAM password policy requires minimum length of 14 or greater
• 1.09 - Ensure IAM password policy prevents password reuse
• 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
• 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password
• 1.12 - Ensure credentials unused for 45 days or greater are disabled
• 1.13 - Ensure there is only one active access key available for any single IAM user
• 1.14 - Ensure access keys are rotated every 90 days or less
• 1.15 - Ensure IAM Users Receive Permissions Only Through Groups
• 1.16 - Ensure IAM policies that allow full "*:*" administrative privileges are not attached
• 1.17 - Ensure a support role has been created to manage incidents with AWS Support
• 1.18 - Ensure IAM instance roles are used for AWS resource access from instances
• 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
• 1.20 - Ensure that IAM Access analyzer is enabled for all regions
• 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
• 1.22 - Ensure access to AWSCloudShellFullAccess is restricted
• Maximum Attestation Duration

Controls

Setting this policy configures these controls:

• AWS > CIS v3.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details
• AWS > CIS v3.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered
• AWS > CIS v3.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account
• AWS > CIS v3.0 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists
• AWS > CIS v3.0 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account
• AWS > CIS v3.0 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account
• AWS > CIS v3.0 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks
• AWS > CIS v3.0 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater
• AWS > CIS v3.0 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse
• AWS > CIS v3.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
• AWS > CIS v3.0 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password
• AWS > CIS v3.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled
• AWS > CIS v3.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user
• AWS > CIS v3.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less
• AWS > CIS v3.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups
• AWS > CIS v3.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full "*:*" administrative privileges are not attached
• AWS > CIS v3.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support
• AWS > CIS v3.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances
• AWS > CIS v3.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
• AWS > CIS v3.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions
• AWS > CIS v3.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
• AWS > CIS v3.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted

Policy Specification

string

Per AWS > CIS v3.0

Category

• CIS

In Your Workspace

• Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/cis

Policy Type URI

tmod:@turbot/aws-cisv3-0#/policy/types/s01

GraphQL

query policyType(id: "tmod:@turbot/aws-cisv3-0#/policy/types/s01") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/aws-cisv3-0#/policy/types/s01'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/aws-cisv3-0#/policy/types/s01'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/aws-cisv3-0#/policy/types/s01"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/aws-cisv3-0#/policy/types/s01"