❗Before you're able to configure AWS IAM integration, you should follow the steps to set-up the overall AWS integration first. Please see our AWS guide here.
Introduction
Using the one connector to AWS gives you the flexibility to extend access to any of the products that sit within the AWS family. We have a number of off-the-shelf checks for AWS IAM and have listed the most common checks and permissions below. We also build configured and custom checks that are tailored to our clients - if you have a requirement that is not satisfied by the checks below, please reach out to your implementation lead!
AWS S3 Check Permissions
Inactive IAM users should be deactivated
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GenerateCredentialReport",
"iam:GetCredentialReport"
],
"Resource": "*"
}
]
}
IAM customer managed policies that you create should not allow wildcard actions for services
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListPolicies",
"iam:GetPolicy",
"iam:GetPolicyVersion"
],
"Resource": "*"
}
]
}
MFA should be enabled for all IAM users
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListUsers",
"iam:ListMFADevices"
],
"Resource": "*"
}
]
}
IAM Access Analyzer external access analyzer should be enabled
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"access-analyzer:ListAnalyzers"
],
"Resource": "*"
}
]
}
IAM identities should not have the AWSCloudShellFullAccess policy attached
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListGroups",
"iam:ListRoles",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
Expired SSL/TLS certificates managed in IAM should be removed
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListServerCertificates"
],
"Resource": "*"
}
]
}
Ensure a support role has been created to manage incidents with AWS Support
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ObjectLock",
"Effect": "Allow",
"Action": [
"iam:ListRoles",
"iam:ListAttachedRolePolicies"
],
"Resource": "*"
}
]
}
Ensure IAM password policy has strong configuration
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy"
],
"Resource": "*"
}
]
}
IAM users' passwords should be changed every X days or less
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GenerateCredentialReport",
"iam:GetCredentialReport"
],
"Resource": "*"
}
]
}
MFA should be enabled for all IAM users that have a console password
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListUsers",
"iam:ListMFADevices",
"iam:GetLoginProfile"
],
"Resource": "*"
}
]
}
IAM users' access keys should be rotated every X days or less
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListAccessKeys",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
IAM users should not have IAM policies attached
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListUsers",
"iam:ListUsersPolicies",
"iam:ListAttachedUserPolicies"
],
"Resource": "*"
}
]
}
IAM policies should not allow full "*" administrative privileges
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListPolicies",
"iam:GetPolicy",
"iam:GetPolicyVersion"
],
"Resource": "*"
}
]
}