Ensure IAM password policy prevents password reuse
Ensure CloudTrail log file validation is enabled
Ensure CloudTrail is enabled in all Regions
Ensure CloudTrail logging is enabled
Ensure IAM policies that allow full *-* administrative privileges are not created
Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy
Disallow policies from using the AWS AdministratorAccess policy
Ensure all data stored in RDS is not publicly accessible
Ensure rotation for customer created CMKs is enabled
Ensure VPC subnets do not assign public IP by default
Ensure Kinesis Stream is securely encrypted
Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK)
Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK)
Ensure Kinesis Firehose delivery stream is encrypted
Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK
Ensure Connect Instance Kinesis Video Stream Storage Config uses CMK
Ensure IAM policies that allow full *-* administrative privileges are not created
Ensure no IAM policies documents allow * as a statement's actions
Ensure AWS IAM policy does not allow full IAM privileges
Ensuring AWS IAM policy does not allow full IAM privileges helps to reduce the risk of unauthorized access and data breaches. By limiting the powers of each IAM role, you make sure that even if an attacker somehow gains access to your AWS account, they will not have full control over all resources.
The existence of full IAM privileges within your AWS infrastructure makes it difficult to track and manage access to resources. It violates the principle of least privilege, which states that an entity must be able to access only the information and resources necessary for its legitimate purpose.
Implementing this policy aids in cloud governance and compliance. There might be legal and regulatory standards against giving unlimited access to your data and services, so by preventing full IAM privileges, you ensure your organization remains compliant and avoids potential fines or legal issues.
Granting full access means that any mistake or misconfiguration could potentially result in large-scale problems. For example, an erroneously executed command could delete all of your resources, or a misconfigured access control could expose your data publicly. By limiting permissions, you’re reducing the likelihood of such catastrophic errors.
Ensure that RDS global clusters are encrypted
Ensure RDS Cluster activity streams are encrypted using KMS CMKs
Ensure IAM password policy expires passwords within 90 days or less
Ensure IAM password policy requires minimum length of 14 or greater
Ensure IAM password policy requires at least one lowercase letter
Ensure IAM password policy requires at least one number
Ensure IAM password policy requires at least one symbol
Ensure IAM password policy requires at least one uppercase letter
Ensure VPC flow logging is enabled in all VPCs
Ensure EBS default encryption is enabled
Ensure all data stored in the EBS is securely encrypted
Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK)
Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)
Ensure all data stored in Aurora is securely encrypted at rest
Ensure the default security group of every VPC restricts all traffic