Resource Type: AWS > Account
The Account resource type represents an individual account within an Organization or as a standalone entity. It serves as a container for AWS resources, users, policies, and configurations, allowing you to manage permissions, billing, security, and access control.
Resource Types
The Account service includes these resource types:
Controls
The primary controls for AWS > Account are:
It is also targeted by these controls:
- AWS > Account > Budget > Budget
- AWS > Amazon MQ > Configuration > Usage
- AWS > App Mesh > Mesh > Usage
- AWS > AppStream > Image > Usage
- AWS > Backup > Backup Plan > Usage
- AWS > Backup > Backup Vault > Usage
- AWS > CIS v1 > 1 Identity and Access Management > 1.15 Ensure security questions are registered in the AWS account (Not Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.17 Maintain current contact details (Not Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.18 Ensure security contact information is registered (Not Scored)
- AWS > CIS v1 > 1 Identity and Access Management > 1.19 Ensure IAM instance roles are used for AWS resource access from instances (Not Scored)
- AWS > CIS v1 > 2 Logging > 2.01 Ensure CloudTrail is enabled in all regions (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.01 Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.02 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.03 Ensure a log metric filter and alarm exist for usage of "root" account (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.04 Ensure a log metric filter and alarm exist for IAM policy changes (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.05 Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.06 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.07 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.08 Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.09 Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.10 Ensure a log metric filter and alarm exist for security group changes (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.12 Ensure a log metric filter and alarm exist for changes to network gateways (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.13 Ensure a log metric filter and alarm exist for route table changes (Scored)
- AWS > CIS v1 > 3 Monitoring > 3.14 Ensure a log metric filter and alarm exist for VPC changes (Scored)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.01 - Maintain current contact details (Manual)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered (Manual)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account (Manual)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances (Manual)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed (Automated)
- AWS > CIS v1.4 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments (Manual)
- AWS > CIS v1.4 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.01 - Ensure a log metric filter and alarm exist for unauthorized API calls (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.02 - Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.03 - Ensure a log metric filter and alarm exist for usage of 'root' account (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.04 - Ensure a log metric filter and alarm exist for IAM policy changes (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.05 - Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.06 - Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.07 - Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.08 - Ensure a log metric filter and alarm exist for S3 bucket policy changes (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.09 - Ensure a log metric filter and alarm exist for AWS Config configuration changes (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.10 - Ensure a log metric filter and alarm exist for security group changes (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.11 - Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.12 - Ensure a log metric filter and alarm exist for changes to network gateways (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.13 - Ensure a log metric filter and alarm exist for route table changes (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.14 - Ensure a log metric filter and alarm exist for VPC changes (Automated)
- AWS > CIS v1.4 > 4 - Monitoring > 4.15 - Ensure a log metric filter and alarm exists for AWS Organizations changes (Automated)
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted
- AWS > CIS v2.0 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions
- AWS > CIS v2.0 > 4 - Monitoring > 4.01 - Ensure unauthorized API calls are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.02 - Ensure management console sign-in without MFA is monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.03 - Ensure usage of 'root' account is monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.04 - Ensure IAM policy changes are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.05 - Ensure CloudTrail configuration changes are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.06 - Ensure AWS Management Console authentication failures are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.08 - Ensure S3 bucket policy changes are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.09 - Ensure AWS Config configuration changes are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.10 - Ensure security group changes are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.11 - Ensure Network Access Control Lists (NACL) changes are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.12 - Ensure changes to network gateways are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.13 - Ensure route table changes are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.14 - Ensure VPC changes are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.15 - Ensure AWS Organizations changes are monitored
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted
- AWS > CIS v3.0 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions
- AWS > CIS v3.0 > 4 - Monitoring > 4.01 - Ensure unauthorized API calls are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.02 - Ensure management console sign-in without MFA is monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.03 - Ensure usage of 'root' account is monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.04 - Ensure IAM policy changes are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.05 - Ensure CloudTrail configuration changes are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.06 - Ensure AWS Management Console authentication failures are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.08 - Ensure S3 bucket policy changes are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.09 - Ensure AWS Config configuration changes are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.10 - Ensure security group changes are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.11 - Ensure Network Access Control Lists (NACL) changes are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.12 - Ensure changes to network gateways are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.13 - Ensure route table changes are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.14 - Ensure VPC changes are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.15 - Ensure AWS Organizations changes are monitored
- AWS > CloudFormation > Stack > Usage
- AWS > CloudFormation > StackSet > Usage
- AWS > CloudFront > CloudFront Origin Access Identity > Discovery
- AWS > CloudFront > CloudFront Origin Access Identity > Usage
- AWS > CloudFront > Distribution > Discovery
- AWS > CloudFront > Distribution > Usage
- AWS > CloudFront > Streaming Distribution > Discovery
- AWS > CloudFront > Streaming Distribution > Usage
- AWS > CloudSearch > Domain > Usage
- AWS > CodeCommit > Repository > Usage
- AWS > Direct Connect > Direct Connect Gateway > Discovery
- AWS > Direct Connect > Direct Connect Gateway > Usage
- AWS > DynamoDB > Global Table > Discovery
- AWS > DynamoDB > Global Table > Usage
- AWS > ECR > Public Repository > Discovery
- AWS > ECR > Public Repository > Usage
- AWS > ECR > Repository > Usage
- AWS > ECS > Container Instance > Usage
- AWS > Elastic Beanstalk > Application > Usage
- AWS > Glue > Crawler > Usage
- AWS > Glue > Database > Usage
- AWS > Glue > Development Endpoint [Deprecated] > Usage
- AWS > Glue > Job > Usage
- AWS > Glue > ML Transform > Usage
- AWS > Glue > Table > Usage
- AWS > Glue > Workflow > Usage
- AWS > HIPAA > Account > At least one multi-region AWS CloudTrail should be present in an account
- AWS > HIPAA > Account > Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- AWS > HIPAA > Account > Ensure a log metric filter and alarm exist for usage of 'root' account
- AWS > HIPAA > Account > Ensure IAM password policy expires passwords within 90 days or less
- AWS > HIPAA > Account > Ensure IAM password policy prevents password reuse
- AWS > HIPAA > Account > Ensure IAM password policy requires at least one lowercase letter
- AWS > HIPAA > Account > Ensure IAM password policy requires at least one number
- AWS > HIPAA > Account > Ensure IAM password policy requires at least one symbol
- AWS > HIPAA > Account > Ensure IAM password policy requires at least one uppercase letter
- AWS > HIPAA > Account > IAM root user hardware MFA should be enabled
- AWS > IAM > Account Password Policy > Discovery
- AWS > IAM > Account Summary > Discovery
- AWS > IAM > Credential Report > Discovery
- AWS > IAM > Group > Discovery
- AWS > IAM > Group > Usage
- AWS > IAM > Instance Profile > Discovery
- AWS > IAM > MFA Virtual > Discovery
- AWS > IAM > OpenID Connect > Discovery
- AWS > IAM > OpenID Connect > Usage
- AWS > IAM > Policy > Discovery
- AWS > IAM > Role > Discovery
- AWS > IAM > Role > Usage
- AWS > IAM > Root > Discovery
- AWS > IAM > Server Certificate > Discovery
- AWS > IAM > Server Certificate > Usage
- AWS > IAM > Stack
- AWS > IAM > Stack [Native]
- AWS > IAM > User > Discovery
- AWS > IAM > User > Usage
- AWS > MSK > Cluster > Usage
- AWS > NIST 800-53 > Account > At least one multi-region AWS CloudTrail should be present in an account
- AWS > NIST 800-53 > IAM > IAM root user hardware MFA should be enabled
- AWS > Organizations > Organization > Discovery
- AWS > PCI v3.2.1 > CloudTrail > 2 CloudTrail should be enabled
- AWS > PCI v3.2.1 > CloudWatch > 1 A log metric filter and alarm should exist for usage of the 'root' user
- AWS > PCI v3.2.1 > IAM > 4 Hardware MFA should be enabled for the root user
- AWS > PCI v3.2.1 > IAM > 5 Virtual MFA should be enabled for the root user
- AWS > PCI v3.2.1 > IAM > 8 Password policies for IAM users should have strong configurations
- AWS > RDS > Global Cluster > Discovery
- AWS > Region > Discovery
- AWS > Route 53 > Hosted Zone > Discovery
- AWS > Route 53 > Hosted Zone > Usage
- AWS > Route 53 Resolver > Resolver Endpoint > Usage
- AWS > Route 53 Resolver > Resolver Rule > Usage
- AWS > S3 > Account > Discovery
- AWS > S3 > Bucket > Usage
- AWS > S3 > Multi-Region Access Point > Discovery
- AWS > S3 > Multi-Region Access Point > Usage
- AWS > SageMaker > Notebook Instance > Usage
- AWS > Secrets Manager > Secret > Usage
- AWS > Shield > Protection > Discovery
- AWS > Shield > Protection > Usage
- AWS > SNS > Subscription > Usage
- AWS > SNS > Topic > Usage
- AWS > SSM > Maintenance Window > Usage
- AWS > Step Functions > State Machine > Usage
- AWS > SWF > Domain > Usage
- AWS > Turbot > IAM
- AWS > Turbot > IAM > Managed
- AWS > Turbot > Service Roles
- AWS > WAF > IP Set > Discovery
- AWS > WAF > IP Set > Usage
- AWS > WAF > IP Set v2 Global > Discovery
- AWS > WAF > IP Set v2 Global > Usage
- AWS > WAF > Rate Based Rule > Discovery
- AWS > WAF > Rate Based Rule > Usage
- AWS > WAF > Regex Pattern Set v2 Global > Discovery
- AWS > WAF > Regex Pattern Set v2 Global > Usage
- AWS > WAF > Regex Pattern Set v2 Regional > Usage
- AWS > WAF > Rule > Discovery
- AWS > WAF > Rule > Usage
- AWS > WAF > Rule Group v2 Global > Discovery
- AWS > WAF > Rule Group v2 Global > Usage
- AWS > WAF > Rule Group v2 Regional > Usage
- AWS > WAF > Web ACL [Deprecated] > Discovery
- AWS > WAF > Web ACL [Deprecated] > Usage
- AWS > WAF > Web ACL v2 Global > Discovery
- AWS > WAF > Web ACL v2 Global > Usage
- ServiceNow > Turbot > Watches > AWS
Quick Actions
Category
In Your Workspace
- Controls by Resource Type report
- Policy Settings by Resource Type report
- Resources by Resource Type report
Developers
- tmod:@turbot/aws#/resource/types/account
- tmod:@turbot/turbot#/resource/categories/cloudProvider
- turbot graphql resource --id "tmod:@turbot/aws#/resource/types/account"
Get Resource- select * from guardrails_resource where resource_type_uri = 'tmod:@turbot/aws#/resource/types/account';
- select * from guardrails_policy_setting where filter = 'resourceTypeId:"tmod:@turbot/aws#/resource/types/account"';
- select * from guardrails_notification where resource_type_uri = 'tmod:@turbot/aws#/resource/types/account' and notification_type in ('resource_updated', 'resource_created');
Get ResourceGet Policy Settings (By Resource ID)Get Resource Notification
Resource Type URI
Category URI
GraphQL
CLI
Steampipe Query