IAM defines who can access what within AWS. Overly permissive roles, poor policy design, and lack of auditing can lead to widespread compromise. Least privilege and continuous review are essential.
The use of special characters in passwords is not recommended.
AWS IAM user passwords should require at least 8 characters and include a variety of character types.
AWS Account Password Policies should prevent users from utilizing previous passwords.
AWS accounts should have a custom password policy rather than relying on the default password policy.
AWS Account Password Policy should not require hard password resets, where passwords are reset only by an administrator.
IAM user passwords should not expire.
AWS account password policies should allow users to change their own passwords.
AWS IAM user passwords should include all variations of characters if the password is less than 15 characters.
AWS IAM Users should have MFA enabled and active.
AWS IAM users that are inactive should be deleted
AWS IAM Users should have a single Access Key and not multiple Access Keys.
AWS IAM Users should not have long-term inactive Access Keys
AWS IAM Users have a per user limit for Access Keys, hitting this limit interferes with the ability to cycle Access Keys and contributes to the overall acount Access Key Limit
AWS IAM Users should not have unused Access Keys.
The AWS Root User should have an MFA device enabled and active.
AWS Accounts have a limit on the number of Access Keys they can issue. This should be monitored and managed to prevent reaching the limit, which can block regular key rotation processes.
AWS root account users should not have attached Signing Certificates.
The AWS Root Account User should not utilise Access Keys.
