Open menu
-->

AWS IAM Best Practices

AWS Identity and Access Management (IAM) enables you to manage users and permission levels for staff and third parties requiring access to your AWS account.



AWS Identity and Access Management (IAM) enables you to manage users and permission levels for staff and third parties requiring access to your AWS account. This service provides centralized access to manage access keys, security credentials, and permission levels. This service is particularly useful for organisations with complex workloads on AWS.

Cloud Conformity checks AWS Identity and Access Management (IAM) service according to the following rules:

Monitor and Notify on AWS Account Root User Activity
Monitor AWS Account Root User Activity

No Access Keys During Initial Setup for IAM Users with Management Console Access
Ensure no access keys are created during IAM user initial setup with AWS Management Console.

Unused AWS IAM Access Keys
Ensure unused AWS IAM access keys are decommissioned as a security best practice.

AWS IAM Access Keys Rotation (30 Days)
Ensure AWS IAM access keys are rotated on a periodic basis as a security best practice (30 Days).

AWS IAM Access Keys Rotation (45 Days)
Ensure AWS IAM access keys are rotated on a periodic basis as a security best practice (45 Days).

AWS IAM Access Keys Rotation (90 Days)
Ensure AWS IAM access keys are rotated on a periodic basis as a security best practice (90 Days).

Unnecessary AWS IAM Access Keys
Ensure there is a maximum of one active access keys available for any single IAM user.

AWS Account Alternate Contacts
Ensure alternate contacts are set to improve the security of your AWS account.

Enable Security Challenge Questions for your AWS Account
Ensure security challenge questions are enabled and configured to improve the security of your AWS account.

Attach Policy to IAM Roles Associated with App-Tier EC2 Instances
Ensure IAM policy for EC2 IAM roles for app tier is configured.

Expired SSL/TLS Certificates
Ensure expired SSL/TLS certificates are removed from AWS IAM.

SSL/TLS Certificate Renewal (30 days before expiration)
Ensure SSL/TLS certificates are renewed before their expiration.

SSL/TLS Certificate Renewal (45 days before expiration)
Ensure SSL/TLS certificates are renewed before their expiration.

SSL/TLS Certificate Renewal (7 days before expiration)
Ensure SSL/TLS certificates are renewed before their expiration.

Pre-Heartbleed Server Certificates
Ensure that your server certificates are not vulnerable to Heartbleed security bug.

Server Certificate Signature Algorithm
Ensure that your SSL/TLS certificates are using a secure signature algorithm.

AWS IAM Server Certificate Size
Ensure that all your SSL/TLS certificates are using either 2048 or 4096 bit RSA keys instead of 1024-bit keys.

Cross-Account Access Lacks External ID and MFA
Ensure cross-account IAM roles use either MFA or external IDs to secure the access to AWS resources.

Deprecated AWS Managed Policies In Use
Ensure deprecated AWS IAM managed policies are not in use.

IAM Users Unauthorized to Edit Access Policies
Ensure AWS IAM users that are not authorized to edit IAM access policies are decommissioned..

AWS Inline IAM Group Policies
Ensure AWS IAM groups do not have inline policies attached.

AWS IAM Users with Admin Privileges
Ensure there are no IAM users with full administrator permissions within your AWS account.

IAM Group with Administrator Privileges In Use
Ensure an IAM group for administration purposes is created.

Unused AWS IAM Groups
Ensure AWS IAM groups have at least one user attached as a security best practice.

Remove IAM Policies with Full Administrative Privileges
Ensure IAM policies that allow full "*:*" administrative privileges are not created.

IAM Customer Managed Policy with Administrative Permissions In Use
Ensure an IAM policy that allows admin privileges for all services used is created.

IAM Role Policy Too Permissive
Ensure AWS IAM policies attached to IAM roles are not too permissive.

AWS IAM User Present
Ensure there is at least one IAM user currently used to access your AWS account.

Inactive AWS IAM Users
Ensure no AWS IAM users have been inactive for a long (specified) period of time.

Unused AWS IAM Users
Ensure unused IAM users are removed from AWS account to follow security best practice.

AWS IAM Users with Password and Access Keys
Ensure AWS IAM users have either API access or console access in order to follow IAM security best practices.

Valid IAM Identity Providers
Ensure valid IAM Identity Providers are used within your AWS account for secure user authentication and authorization.

MFA Device Deactivated for IAM Users
A Multi-Factor Authentication (MFA) device deactivation for an IAM user has been detected.

Enable MFA for AWS IAM Users
Ensure Multi-Factor Authentication (MFA) is enabled for all AWS IAM users with AWS Console access.

IAM Master and IAM Manager Roles
Ensure IAM Master and IAM Manager roles are active within your AWS account.

AWS Multi-Account Centralized Management (Informational)
Set up, organize and manage your AWS accounts for optimal security and manageability.

IAM Password Expiry In 30 Days
Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (30 Days).

IAM Password Expiry In 45 Days
Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (45 Days).

IAM Password Expiry In 7 Days
Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (7 Days).

AWS IAM Password Policy
Ensure AWS account has an IAM strong password policy in use.

Set Permissions Boundaries for IAM Identities
Ensure permissions boundaries are set for specific IAM identities to control the maximum permissions that these entities can have.

IAM Policies with Effect Allow and NotAction
Ensure AWS IAM policies do not use "Effect" : "Allow" in combination with "NotAction" element to follow security best practices.

AWS Root Account Access Keys
Ensure that your AWS account (root) is not using access keys as a security best practice.

AWS Root Account Credentials Usage
Ensure root account credentials have not been used recently to access your AWS account.

Root Account Active Signing Certificates
Ensure that your AWS root account user is not using X.509 certificates to validate API requests.

Enable Hardware MFA for AWS Root Account
Ensure hardware MFA is enabled for your Amazon Web Services root account.

Enable MFA for AWS Root Account
Ensure Multi-Factor Authentication (MFA) is enabled for the AWS root account.

AWS IAM SSH Public Keys Rotation (30 Days)
Ensure AWS IAM SSH public keys are rotated on a periodic basis as a security best practice.

AWS IAM SSH Public Keys Rotation (45 Days)
Ensure IAM SSH public keys are rotated on a periodic basis to adhere to AWS security best practices.

AWS IAM SSH Public Keys Rotation (90 Days)
Ensure IAM SSH public keys are rotated on a periodic basis to adhere to AWS security best practices.

Unnecessary AWS IAM SSH Public Keys
Ensure there is a maximum of one active SSH public keys assigned to any single IAM user.

Sign-In Events for IAM and Federated Users
AWS sign-in events for IAM and federated users have been detected.

AWS IAM Support Role
Ensure there is an active Amazon IAM Support Role available within your AWS account.

AWS IAM User Policies
Ensure AWS IAM policies are attached to groups instead of users as an IAM best practice.