Misconfigurations
IAM
ZeusCloud provides the following security rules for AWS IAM:
- User access keys should be rotated every 90 days or less
- Access keys should not be set up at initial user setup for IAM users with passwords
- IAM credentials (access keys and passwords) unused for 90 days or more should be disabled
- Expired SSL/TLS certificates stored in AWS IAM should be removed
- MFA should be enabled for all IAM users with a console password
- IAM groups, users, and roles should not have any inline policies
- No root account access keys should exist
- Full ’*’ administrative privileges shouldn’t be allowed through IAM policies
- IAM policies should not be connected to IAM users, but rather groups and roles
- Password policy should expire passwords within 90 days or less
- Password policy should require at least one lowercase character
- Password policy should require a minimum length of at least 14
- Password policy should require at least one number character
- Password policy should prevent password reuse: 24 or greater
- Password policy should require at least one symbol character
- Password policy should require at least one uppercase character
- Root Account should not be actively used
- MFA should be enabled for the root account
- An IAM user, group, or role has specific permissions to coordinate AWS support
- IAM users should each only have at most one active access key
- IAM user should be associated with at least 1 group