Ensure there is a CloudWatch alarm created and configured in your AWS account that is triggered each time an IAM policy configuration change is made. This CloudWatch alarm must fire every time an API call is performed to create, update, attach, detach or delete an AWS IAM policy.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using CloudWatch alarms to detect AWS IAM authorization (policy) configuration changes will help you maintain the necessary access permissions for each IAM user, role and group created in your AWS account in order to prevent any accidental or intentional changes that may lead to unauthorized access.
Note 1: For this rule Cloud Conformity assumes that the CloudTrail service is already enabled to stream event log data to CloudWatch within your AWS account, otherwise see this rule to enable AWS Cloudtrail – CloudWatch integration.
Note 2: You have also the option to implement this conformity rule with AWS CloudFormation. Download the required CloudFormation template from this URL and follow the AWS instructions available here.
To determine if there are any CloudWatch alarms that are currently monitoring AWS IAM authorization configuration changes within your AWS account, perform the following:
Step 1: Create a Simple Notification Service (SNS) topic and the necessary subscription to send notifications whenever an AWS CloudWatch alarm is triggered by an IAM policy configuration change.
Step 2: Create the necessary metric filter and the CloudWatch alarm that will fire and send SNS notifications whenever AWS IAM authorization configuration is changed.