Access Keys For Root Account

Root account has full permissions across the entire account. Root account should not have access keys. Also, it certainly shouldn't access any service. Instead, create IAM users with predefined roles.

Addresses: Security

Additional Reading:

• http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html

Root Account Access Keys Rotation

Root account should not have access keys. If at all you have that, then the keys should be rotated periodically.

Addresses: Security

Additional Reading:

• https://docs.aws.amazon.com/cli/latest/reference/iam/update-access-key.html

Root account certificates

Certificates should not be tied with root accounts.

Addresses: Security

Root account certificate rotation

Certificates tied with root accounts needs rotation.

Addresses: Security

Root account MFA

Multifactor Authentication is strongly recommended to be enabled for every account with no exceptions.

Addresses: Security

Additional Reading:

• https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html

Root account password rotation

Ensure that your root account password is rotated every few days.

Addresses: Security

Minimum admins

Your AWS account should have minimum number of admins

Addresses: Security

Too many admins

Your AWS account has too many admins.

Addresses: Security, Operational Maturity

User account without any usage

Any unused IAM user without console access and API access should be removed

Addresses: Security

MFA on user accounts

MFA must be enabled on user accounts. AWS recommends that you configure multi-factor authentication (MFA) to help protect your AWS resources.

Addresses: Security

Additional Reading:

• https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html

Access key rotation

The access keys should rotated periodically.

Addresses: Security

Additional Reading:

• https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_RotateAccessKey

Certificate rotation

The certificates should be rotated periodically.

Addresses: Security

Access keys inactivity

Inactive access keys should be dropped.

Addresses: Security

User console access inactive

Users who are infrequent or do not need access to console, their account access should be cleared off.

Addresses: Security

User account service inactivity

Checks inactivity of any user on a service. Those priviledges should be removed for better security posture.

Addresses: Security

User Inline Policies

IAM users should not have Inline policies. It is recommended that IAM policies be applied directly to groups and roles but not users.

Addresses: Security

Additional Reading:

• https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html

User account with multiple access keys

Multiple access keys for the same user should be avoided. There should be just 1 access key per user account.

Addresses: Security

Inactive Role

Inactive roles should be cleaned up.

Addresses: Security

Role Service Inactivity

Roles which have access to services but have not used in past several days should be looked into and cleaned up.

Addresses: Security

Role Inline policies

Role shouldn not have inline policies attached to them.

Addresses: Security

Groups without users

Empty groups should be cleaned up and should not linger around.

Addresses: Security

ELB Certificate Rotation

Ensures that you rotate your certificate before the set configurable days.

Addresses: Security

Complex Password Policy

Password policy should be complex enough so that users can set passwords which are not easy to guess and crack.

Addresses: Security

Additional Reading:

• https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

We suggest you use the checklist!

If you are not yet convinced to sign up with Cloudanix, that's not a problem. We recommend you use a comprehensive checklist which your team can use to perform a manual assessment of your workload.