Policy Settings
The AWS CIS v3.0.0 - Section 1 - Identity and Access Management policy pack has 30 policy settings:
| Policy | Setting | Note |
|---|---|---|
| AWS > EC2 > Instance > Instance Profile | Check: Instance profile attached | AWS CIS v3.0.0 - Controls: 1.18 |
| AWS > EC2 > Instance > Instance Profile > Name | orgDefaultInstanceProfile | AWS CIS v3.0.0 - Controls: 1.18 |
| AWS > IAM > Access Key > Active | Check: Active | AWS CIS v3.0.0 - Controls: 1.12, 1.13 and 1.14 |
| AWS > IAM > Access Key > Active > Age | Force inactive if age > 90 days | AWS CIS v3.0.0 - Controls: 1.14 |
| AWS > IAM > Access Key > Active > Last Modified | Force active if last modified <= 7 days | Prevents newly created access keys from being deleted for not having been used recently. |
| AWS > IAM > Access Key > Active > Latest | Force inactive if not latest | AWS CIS v3.0.0 - Controls: 1.13 |
| AWS > IAM > Access Key > Active > Recently Used | Force active if recently used <= 30 days | AWS CIS v3.0.0 - Controls: 1.12 |
| AWS > IAM > Account Password Policy > Settings | Check: Configured | AWS CIS v3.0.0 - Controls: 1.8 & 1.9 |
| AWS > IAM > Account Password Policy > Settings > Minimum Length | 14 | AWS CIS v3.0.0 - Controls: 1.8 |
| AWS > IAM > Account Password Policy > Settings > Reuse Prevention | 24 | AWS CIS v3.0.0 - Controls: 1.9 |
| AWS > IAM > Group > Inline Policy > Statements > Approved | Check: Approved | AWS CIS v3.0.0 - Controls: 1.16 |
| AWS > IAM > Group > Inline Policy > Statements > Approved > Administrator Access | Disabled: Disallow Administrator Access ('*:*') policies | AWS CIS v3.0.0 - Controls: 1.16 |
| AWS > IAM > Policy > Statements > Approved | Check: Approved | AWS CIS v3.0.0 - Controls: 1.16 |
| AWS > IAM > Policy > Statements > Approved > Rules | REJECT $.Effect:"Allow" $.Action:"*" $.Resource:"*" APPROVE * | AWS CIS v3.0.0 - Controls: 1.16 |
| AWS > IAM > Role > Inline Policy > Statements > Approved | Check: Approved | AWS CIS v3.0.0 - Controls: 1.16 |
| AWS > IAM > Role > Inline Policy > Statements > Approved > Administrator Access | Disabled: Disallow Administrator Access ('*:*') policies | AWS CIS v3.0.0 - Controls: 1.16 |
| AWS > IAM > Server Certificate > Active | Check: Active | AWS CIS v3.0.0 - Controls: 1.19 |
| AWS > IAM > Server Certificate > Active > Expired | Force inactive if expired | AWS CIS v3.0.0 - Controls: 1.19 |
| AWS > IAM > Stack | Check: Configured | AWS CIS v3.0.0 - Controls: 1.17 |
| AWS > IAM > Stack > Source | Calculated | AWS CIS v3.0.0 - Controls: 1.17 |
| AWS > IAM > Stack > Terraform Version | 0.15.* | AWS CIS v3.0.0 - Controls: 1.17 |
| AWS > IAM > User > Inline Policy > Approved | Check: Approved | AWS CIS v3.0.0 - Controls: 1.15 |
| AWS > IAM > User > Inline Policy > Approved > Usage | Not approved | AWS CIS v3.0.0 - Controls: 1.15 |
| AWS > IAM > User > Inline Policy > Statements > Approved | Check: Approved | AWS CIS v3.0.0 - Controls: 1.16 |
| AWS > IAM > User > Inline Policy > Statements > Approved > Administrator Access | Disabled: Disallow Administrator Access ('*:*') policies | AWS CIS v3.0.0 - Controls: 1.16 |
| AWS > IAM > User > Login Profile | Calculated | AWS CIS v3.0.0 - Controls: 1.10 & 1.11 |
| AWS > IAM > User > Policy Attachments > Approved | Check: Approved | AWS CIS v3.0.0 - Controls: 1.15 |
| AWS > IAM > User > Policy Attachments > Approved > Rules | REJECT * | AWS CIS v3.0.0 - Controls: 1.15 |
| AWS > Region > Stack | Check: Configured | AWS CIS v3.0.0 - Controls: 1.20 |
| AWS > Region > Stack > Source | resource "aws_accessanalyzer_analyzer" "cis_access_analyzer" { analyzer_name = "access_analyzer" type = "ACCOUNT" } | AWS CIS v3.0.0 - Controls: 1.20 |