Identity and Access Management

Rules for configuring identity and access management options.

Rule Name

Description

Avoid the use of the "root" account (1.1)

It is recommended that the use of the root account be avoided.

Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (1.2)

It is recommended that MFA be enabled for all accounts that have a console password.

Ensure credentials unused for 90 days or greater are disabled (1.3)

It is recommended that all credentials that have been unused for 90 or more days be removed or deactivated.

Ensure access keys are rotated every 90 days or less (1.4)

It is recommended that all access keys be regularly rotated.

Password policy complexity (1.5 to 1.11)

It is strongly recommended that your organization's password policy:

  • Requires at least one uppercase letter
  • Requires at least one lowercase letter
  • Requires at least one symbol
  • Requires at least one number
  • Has a minimum password length of 14 characters
  • Prevents password reuse
  • Expires after 90 days or less.

Ensure no root account access key exists (1.12)

It is recommended that all access keys associated with the root account be removed.

MFA for the root account (1.13 and 1.14)

It is recommended that the root account be protected with MFA.

Ensure security questions are registered in the AWS account (1.15)

It is recommended that security questions be established.

Ensure IAM policies are attached only to groups or roles (1.16)

It is recommended that IAM policies be applied directly to groups and roles but not users.

Maintain current contact details (1.17)

It is strongly recommended that organizations maintain contact details for more than just a single individual.

Ensure security contact information is registered (1.18)

It is recommended that security contact information is provided.

Ensure IAM instance roles are used for AWS resource access from instances (1.19)

It is recommended that instance roles are used for AWS resource access from instances.

Ensure a support role has been created to manage incidents with AWS Support (1.20)

It is recommended that a support role has been created to manage incidents with AWS Support.

Do not set up access keys during initial user setup for all IAM users that have a console password (1.21)

It is recommended that access keys that do not pass the audit via the AWS Management Console are deleted.

Ensure IAM policies that allow full administrative privileges are not created (1.22)

It is recommended and considered standard security advice to grant IAM policies based on the principle of least privilege.


What’s Next