IAM

Caligo provides the following security rules for AWS IAM:

• User access keys should be rotated every 90 days or less

• Access keys should not be set up at initial user setup for IAM users with passwords

• IAM credentials (access keys and passwords) unused for 90 days or more should be disabled

• Expired SSL/TLS certificates stored in AWS IAM should be removed

• MFA should be enabled for all IAM users with a console password

• IAM groups, users, and roles should not have any inline policies

• No root account access keys should exist

• Full ’*’ administrative privileges shouldn’t be allowed through IAM policies

• IAM policies should not be connected to IAM users, but rather groups and roles

• Password policy should expire passwords within 90 days or less

• Password policy should require at least one lowercase character

• Password policy should require a minimum length of at least 14

• Password policy should require at least one number character

• Password policy should prevent password reuse: 24 or greater

• Password policy should require at least one symbol character

• Password policy should require at least one uppercase character

• Root Account should not be actively used

• MFA should be enabled for the root account

• An IAM user, group, or role has specific permissions to coordinate AWS support

• IAM users should each only have at most one active access key

• IAM user should be associated with at least 1 group