ZeusCloud provides the following security rules for AWS IAM:

• User access keys should be rotated every 90 days or less
• Access keys should not be set up at initial user setup for IAM users with passwords
• IAM credentials (access keys and passwords) unused for 90 days or more should be disabled
• Expired SSL/TLS certificates stored in AWS IAM should be removed
• MFA should be enabled for all IAM users with a console password
• IAM groups, users, and roles should not have any inline policies
• No root account access keys should exist
• Full ’*’ administrative privileges shouldn’t be allowed through IAM policies
• IAM policies should not be connected to IAM users, but rather groups and roles
• Password policy should expire passwords within 90 days or less
• Password policy should require at least one lowercase character
• Password policy should require a minimum length of at least 14
• Password policy should require at least one number character
• Password policy should prevent password reuse: 24 or greater
• Password policy should require at least one symbol character
• Password policy should require at least one uppercase character
• Root Account should not be actively used
• MFA should be enabled for the root account
• An IAM user, group, or role has specific permissions to coordinate AWS support
• IAM users should each only have at most one active access key
• IAM user should be associated with at least 1 group