/
iam.sp
142 lines (122 loc) · 6.58 KB
/
iam.sp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
locals {
foundational_security_iam_common_tags = merge(local.foundational_security_common_tags, {
service = "AWS/IAM"
})
}
benchmark "foundational_security_iam" {
title = "IAM"
documentation = file("./foundational_security/docs/foundational_security_iam.md")
children = [
control.foundational_security_iam_1,
control.foundational_security_iam_2,
control.foundational_security_iam_3,
control.foundational_security_iam_4,
control.foundational_security_iam_5,
control.foundational_security_iam_6,
control.foundational_security_iam_7,
control.foundational_security_iam_8,
control.foundational_security_iam_21
]
tags = merge(local.foundational_security_iam_common_tags, {
type = "Benchmark"
})
}
control "foundational_security_iam_1" {
title = "1 IAM policies should not allow full '*' administrative privileges"
description = "This control checks whether the default version of IAM policies (also known as customer managed policies) has administrator access that includes a statement with 'Effect': 'Allow' with 'Action': '*' over 'Resource': '*'. The control only checks the customer managed policies that you create. It does not check inline and AWS managed policies."
severity = "high"
query = query.iam_policy_custom_attached_no_star_star
documentation = file("./foundational_security/docs/foundational_security_iam_1.md")
tags = merge(local.foundational_security_iam_common_tags, {
foundational_security_item_id = "iam_1"
foundational_security_category = "secure_access_management"
})
}
control "foundational_security_iam_2" {
title = "2 IAM users should not have IAM policies attached"
description = "This control checks that none of your IAM users have policies attached. Instead, IAM users must inherit permissions from IAM groups or roles."
severity = "low"
query = query.iam_user_no_inline_attached_policies
documentation = file("./foundational_security/docs/foundational_security_iam_2.md")
tags = merge(local.foundational_security_iam_common_tags, {
foundational_security_item_id = "iam_2"
foundational_security_category = "secure_access_management"
})
}
control "foundational_security_iam_3" {
title = "3 IAM users' access keys should be rotated every 90 days or less"
description = "This control checks whether the active access keys are rotated within 90 days."
severity = "medium"
query = query.iam_user_access_key_age_90
documentation = file("./foundational_security/docs/foundational_security_iam_3.md")
tags = merge(local.foundational_security_iam_common_tags, {
foundational_security_item_id = "iam_3"
foundational_security_category = "secure_access_management"
})
}
control "foundational_security_iam_4" {
title = "4 IAM root user access key should not exist"
description = "This control checks whether the root user access key is present. The root account is the most privileged user in an AWS account. AWS access keys provide programmatic access to a given account."
severity = "critical"
query = query.iam_root_user_no_access_keys
documentation = file("./foundational_security/docs/foundational_security_iam_4.md")
tags = merge(local.foundational_security_iam_common_tags, {
foundational_security_item_id = "iam_4"
foundational_security_category = "secure_access_management"
})
}
control "foundational_security_iam_5" {
title = "5 MFA should be enabled for all IAM users that have a console password"
description = "This control checks whether AWS multi-factor authentication (MFA) is enabled for all IAM users that use a console password."
severity = "medium"
query = query.iam_user_console_access_mfa_enabled
documentation = file("./foundational_security/docs/foundational_security_iam_5.md")
tags = merge(local.foundational_security_iam_common_tags, {
foundational_security_item_id = "iam_5"
foundational_security_category = "secure_access_management"
})
}
control "foundational_security_iam_6" {
title = "6 Hardware MFA should be enabled for the root user"
description = "This control checks whether your AWS account is enabled to use a hardware multi-factor authentication (MFA) device to sign in with root user credentials."
severity = "critical"
query = query.iam_root_user_hardware_mfa_enabled
documentation = file("./foundational_security/docs/foundational_security_iam_6.md")
tags = merge(local.foundational_security_iam_common_tags, {
foundational_security_item_id = "iam_6"
foundational_security_category = "secure_access_management"
})
}
control "foundational_security_iam_7" {
title = "7 Password policies for IAM users should have strong configurations"
description = "This control checks whether the account password policy for IAM users uses the recommended configurations."
severity = "medium"
query = query.iam_account_password_policy_strong_min_length_8
documentation = file("./foundational_security/docs/foundational_security_iam_7.md")
tags = merge(local.foundational_security_iam_common_tags, {
foundational_security_item_id = "iam_7"
foundational_security_category = "secure_access_management"
})
}
control "foundational_security_iam_8" {
title = "8 Unused IAM user credentials should be removed"
description = "This control checks whether your IAM users have passwords or active access keys that have not been used for 90 days."
severity = "medium"
query = query.iam_user_unused_credentials_90
documentation = file("./foundational_security/docs/foundational_security_iam_8.md")
tags = merge(local.foundational_security_iam_common_tags, {
foundational_security_item_id = "iam_8"
foundational_security_category = "secure_access_management"
})
}
control "foundational_security_iam_21" {
title = "21 IAM customer managed policies that you create should not allow wildcard actions for services"
description = "This control checks whether the IAM identity-based policies that you create have Allow statements that use the * wildcard to grant permissions for all actions on any service. The control fails if any policy statement includes 'Effect': 'Allow' with 'Action': 'Service:*'."
severity = "low"
query = query.iam_all_policy_no_service_wild_card
documentation = file("./foundational_security/docs/foundational_security_iam_21.md")
tags = merge(local.foundational_security_iam_common_tags, {
foundational_security_item_id = "iam_21"
foundational_security_category = "secure_access_management"
})
}