This is a part of the Garrison security project. This agent mainly provides compliance alerts and other basic checks.
| Function Name | Description |
|---|---|
check_mfa |
Alerts for IAM Users that have no MFA devices and console access |
check_unused |
Alerts for IAM Access Keys that have not been used in the last X days |
Docker Hub - https://hub.docker.com/r/forward3d/garrison-agent-aws-iam/
docker pull forward3d/garrison-agent-aws-guardduty
docker run --rm -e "GARRISON_URL=https://garrison.internal.acme.com" forward3d/garrison-agent-aws-iam check_mfa
As this requires access to the AWS API you will need this IAM policy as a minimum for it to operate correctly.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:GetAccessKeyLastUsed",
"iam:ListUsers",
"iam:ListMFADevices",
"iam:ListAccessKeys"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
We recommend using EC2/ECS Task roles so that you don't need to send credentials into the container, however if you can't use those or want to send in specific Access Keys and Secret keys, please see the AWS Documentation as to how you do that.
Some checks provided by this agent have extra configuration options.
| Environmental Variable | Default |
|---|---|
GARRISON_IAM_THRESHOLD |
90 |