Policy: AWS > CIS v6.0 > 2 - Identity and Access Management
This section contains recommendations for configuring identity and access management related options.
Targets
This policy targets the following resource types:
Primary Policy
This policy is used with the following primary policy:
Related Policies
- 2.01 - Maintain current contact details
- 2.02 - Ensure security contact information is registered
- 2.03 - Ensure no 'root' user account access key exists
- 2.04 - Ensure MFA is enabled for the 'root' user account
- 2.05 - Ensure hardware MFA is enabled for the 'root' user account
- 2.06 - Eliminate use of the 'root' user for administrative and daily tasks
- 2.07 - Ensure IAM password policy requires minimum length of 14 or greater
- 2.08 - Ensure IAM password policy prevents password reuse
- 2.09 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
- 2.10 - Do not create access keys during initial setup for IAM users with a console password
- 2.11 - Ensure credentials unused for 45 days or more are disabled
- 2.12 - Ensure there is only one active access key for any single IAM user
- 2.13 - Ensure access keys are rotated every 90 days or less
- 2.14 - Ensure IAM users receive permissions only through groups
- 2.15 - Ensure IAM policies that allow full "*:*" administrative privileges are not attached
- 2.16 - Ensure a support role has been created to manage incidents with AWS Support
- 2.17 - Ensure IAM instance roles are used for AWS resource access from instances
- 2.18 - Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed
- 2.19 - Ensure that IAM External Access Analyzer is enabled for all regions
- 2.20 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
- 2.21 - Ensure access to AWSCloudShellFullAccess is restricted
- Maximum Attestation Duration
Controls
Setting this policy configures these controls:
- AWS > CIS v6.0 > 2 - Identity and Access Management > 2.01 - Maintain current contact details
- AWS > CIS v6.0 > 2 - Identity and Access Management > 2.02 - Ensure security contact information is registered
- AWS > CIS v6.0 > 2 - Identity and Access Management > 2.03 - Ensure no 'root' user account access key exists
- AWS > CIS v6.0 > 2 - Identity and Access Management > 2.04 - Ensure MFA is enabled for the 'root' user account
- AWS > CIS v6.0 > 2 - Identity and Access Management > 2.05 - Ensure hardware MFA is enabled for the 'root' user account
- AWS > CIS v6.0 > 2 - Identity and Access Management > 2.06 - Eliminate use of the 'root' user for administrative and daily tasks
- AWS > CIS v6.0 > 2 - Identity and Access Management > 2.07 - Ensure IAM password policy requires minimum length of 14 or greater
- AWS > CIS v6.0 > 2 - Identity and Access Management > 2.08 - Ensure IAM password policy prevents password reuse
- AWS > CIS v6.0 > 2 - Identity and Access Management > 2.09 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
- AWS > CIS v6.0 > 2 - Identity and Access Management > 2.10 - Do not create access keys during initial setup for IAM users with a console password
- AWS > CIS v6.0 > 2 - Identity and Access Management > 2.11 - Ensure credentials unused for 45 days or more are disabled
- AWS > CIS v6.0 > 2 - Identity and Access Management > 2.12 - Ensure there is only one active access key for any single IAM user
- AWS > CIS v6.0 > 2 - Identity and Access Management > 2.13 - Ensure access keys are rotated every 90 days or less
- AWS > CIS v6.0 > 2 - Identity and Access Management > 2.14 - Ensure IAM users receive permissions only through groups
- AWS > CIS v6.0 > 2 - Identity and Access Management > 2.15 - Ensure IAM policies that allow full "*:*" administrative privileges are not attached
- AWS > CIS v6.0 > 2 - Identity and Access Management > 2.16 - Ensure a support role has been created to manage incidents with AWS Support
- AWS > CIS v6.0 > 2 - Identity and Access Management > 2.17 - Ensure IAM instance roles are used for AWS resource access from instances
- AWS > CIS v6.0 > 2 - Identity and Access Management > 2.18 - Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed
- AWS > CIS v6.0 > 2 - Identity and Access Management > 2.19 - Ensure that IAM External Access Analyzer is enabled for all regions
- AWS > CIS v6.0 > 2 - Identity and Access Management > 2.20 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
- AWS > CIS v6.0 > 2 - Identity and Access Management > 2.21 - Ensure access to AWSCloudShellFullAccess is restricted
Policy Specification
Schema Type | |
|---|---|
Default | |
Valid Values [YAML] |
|
Examples [YAML] |
|
Category
In Your Workspace
Developers
- tmod:@turbot/cis#/control/categories/cis
- tmod:@turbot/aws-cisv6-0#/policy/types/s02
- turbot graphql policy-type --id "tmod:@turbot/aws-cisv6-0#/policy/types/s02"
- turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/aws-cisv6-0#/policy/types/s02"
Get Policy TypeGet Policy Settings
Category URI
Policy Type URI
GraphQL
CLI