Amazon IAM
Overview
Critical
2High
12Medium
8Low
20Informational
1Security issues (43)
Severity | Non-Compliance | Resource | Issue | Remediation | Read more | Action |
---|---|---|---|---|---|---|
Medium | CIS 1.5 PCI DSS 8.4 | IAM | The root user does not use any Multi-factor authentication (MFA) device. | Enable an MFA device for AWS account root user. | More info | |
Medium | — | IAM | Account password policy for IAM users does not require the use of symbols, as per CIS controls 1.7. | Set a custom password policy on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords. | More info | |
Medium | — | IAM | Account password policy for IAM users does not require the use of uppercase letters, as per CIS controls 1.5. | Set a custom password policy on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords. | More info | |
Medium | — | IAM | Account password policy for IAM users does not require the use of lowercase letters, as per CIS controls 1.6. | Set a custom password policy on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords. | More info | |
Low | — | IAM | Account password policy for IAM users allows the re-use of the last four passwords or less, not meeting the PCI DSS Requirement 8.2.5. | Set a custom password policy on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords. | More info | |
Medium | — | IAM | Account password policy for IAM users for password expiration is not set, not meeting the PCI DSS Requirement 8.2.4. | Set a custom password policy on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords. | More info | |
Medium | PCI DSS 8.4 | root | The root user does not have Multi-factor authentication (MFA) enabled. | PCI DSS Requirement 8.3: Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication. | More info | |
Medium | CIS 1.10 PCI DSS 8.4 | Rony | IAM user "Rony" does not have Multi-factor authentication (MFA) enabled. | PCI DSS Requirement 8.3: Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access. | More info | |
Low | CIS 1.11 | Rony | IAM user "Rony" has both an access key for programmatic access and a password to sign-in to the AWS Management Console. | Consider creating a separate IAM user for programmatic access. | More info | |
Critical | — | Rony | IAM user "Rony" has two access keys. While doing so makes rotation easier, having both access keys enabled increases the risk of a data breach. | Delete or deactivate the first access key for the user "Rony". | More info | |
Low | — | Rony | IAM user "Rony" has attached IAM policies. | Ensure IAM policies are attached only to groups or roles. | More info | |
Low | — | Rony | IAM user "Rony" is among 8 IAM user administrators. Every additional administrator increases the risk of a data breach. | Keep 2 IAM users with administrative permissions, while giving other IAM users a unique set of security credentials. | More info | |
Medium | CIS 1.10 PCI DSS 8.4 | Sergei | IAM user "Sergei" does not have Multi-factor authentication (MFA) enabled. | PCI DSS Requirement 8.3: Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access. | More info | |
Low | CIS 1.11 | Sergei | IAM user "Sergei" has both an access key for programmatic access and a password to sign-in to the AWS Management Console. | Consider creating a separate IAM user for programmatic access. | More info | |
Critical | — | Sergei | IAM user "Sergei" has two access keys. While doing so makes rotation easier, having both access keys enabled increases the risk of a data breach. | Delete or deactivate the first access key for the user "Sergei". | More info | |
Low | — | Sergei | IAM user "Sergei" has inline IAM policies. | Ensure IAM policies are attached only to groups or roles. | More info | |
Low | — | Sergei | IAM user "Sergei" is among 8 IAM user administrators. Every additional administrator increases the risk of a data breach. | Keep 2 IAM users with administrative permissions, while giving other IAM users a unique set of security credentials. | More info | |
Low | — | cloudsploit | IAM user "cloudsploit" has attached IAM policies. | Ensure IAM policies are attached only to groups or roles. | More info | |
Low | — | semaProgrammatic | IAM user "semaProgrammatic" has attached IAM policies. | Ensure IAM policies are attached only to groups or roles. | More info | |
Low | — | semaProgrammatic | IAM user "semaProgrammatic" is among 8 IAM user administrators. Every additional administrator increases the risk of a data breach. | Keep 2 IAM users with administrative permissions, while giving other IAM users a unique set of security credentials. | More info | |
Low | — | ses-smtp-user.20210305-143809 | IAM user "ses-smtp-user.20210305-143809" has inline IAM policies. | Ensure IAM policies are attached only to groups or roles. | More info | |
Low | — | SysDigMonitor | IAM user "SysDigMonitor" has attached IAM policies. | Ensure IAM policies are attached only to groups or roles. | More info | |
Low | — | SysDigMonitor | IAM user "SysDigMonitor" is among 8 IAM user administrators. Every additional administrator increases the risk of a data breach. | Keep 2 IAM users with administrative permissions, while giving other IAM users a unique set of security credentials. | More info | |
Low | — | test | IAM user "test" has inline group policy "test-inline-policy-for-group". | Security best practices in IAM recommend using managed policies instead of inline policies. | More info | |
Low | — | test | IAM user "test" has attached IAM policies. | Ensure IAM policies are attached only to groups or roles. | More info | |
Low | — | test | IAM user "test" is among 8 IAM user administrators. Every additional administrator increases the risk of a data breach. | Keep 2 IAM users with administrative permissions, while giving other IAM users a unique set of security credentials. | More info | |
Low | — | test2 | IAM user "test2" has inline group policy "test-inline-policy-for-group". | Security best practices in IAM recommend using managed policies instead of inline policies. | More info | |
Low | — | test2 | IAM user "test2" is among 8 IAM user administrators. Every additional administrator increases the risk of a data breach. | Keep 2 IAM users with administrative permissions, while giving other IAM users a unique set of security credentials. | More info | |
High | — | amplify-login-lambda-69749404 | IAM role "amplify-login-lambda-69749404" was never used. | Consider removing the IAM roles that you are not using. | More info | |
High | — | AWS-QuickSetup-StackSet-Local-ExecutionRole | IAM role "AWS-QuickSetup-StackSet-Local-ExecutionRole" must require either MFA or an external ID to designate who can assume the role. The role's misconfigured account is: "arn:aws:iam::531239714189:role/AWS-QuickSetup-StackSet-Local-AdministrationRole". | Update the IAM role, making sure it uses either MFA or an external ID to designate who can assume the role. | More info | |
Low | — | AWS-QuickSetup-StackSet-Local-ExecutionRole | IAM role "AWS-QuickSetup-StackSet-Local-ExecutionRole" contains managed AdministratorAccess policy. | Consider tightening the IAM role policies by granting them least privilege and avoid the wildcards, if possible. | More info | |
High | — | service-role/AWSDataLifecycleManagerDefaultRoleForAMIManagement | IAM role "AWSDataLifecycleManagerDefaultRoleForAMIManagement" was never used. | Consider removing the IAM roles that you are not using. | More info | |
High | — | service-role/DAXtoDynamoDB | IAM role "DAXtoDynamoDB" was never used. | Consider removing the IAM roles that you are not using. | More info | |
High | — | ecsSpotFleetRole | IAM role "ecsSpotFleetRole" was never used. | Consider removing the IAM roles that you are not using. | More info | |
High | — | EMR_AutoScaling_DefaultRole | IAM role "EMR_AutoScaling_DefaultRole" was never used. | Consider removing the IAM roles that you are not using. | More info | |
Low | — | service-role/hello-world-python-role-ufk4srq3 | IAM role "hello-world-python-role-ufk4srq3" was inactive for more than 90 days. | Consider removing the IAM roles that you are not using. | More info | |
High | — | service-role/KinesisFirehoseServiceRole-stream3-us-east-1-1614218937171 | IAM role "KinesisFirehoseServiceRole-stream3-us-east-1-1614218937171" was never used. | Consider removing the IAM roles that you are not using. | More info | |
High | — | my-test-role-no-policies | IAM role "my-test-role-no-policies" must require either MFA or an external ID to designate who can assume the role. The role's misconfigured account is: "arn:aws:iam::531239714189:root". | Update the IAM role, making sure it uses either MFA or an external ID to designate who can assume the role. | More info | |
High | — | my-test-role-no-policies | IAM role "my-test-role-no-policies" was never used. | Consider removing the IAM roles that you are not using. | More info | |
High | — | service-role/StepFunctions-HelloWorld-role-3938622e | IAM role "StepFunctions-HelloWorld-role-3938622e" was never used. | Consider removing the IAM roles that you are not using. | More info | |
High | — | service-role/test-role-5z4s12tw | IAM role "test-role-5z4s12tw" was never used. | Consider removing the IAM roles that you are not using. | More info | |
High | — | service-role/test-role-e90ltcu0 | IAM role "test-role-e90ltcu0" was never used. | Consider removing the IAM roles that you are not using. | More info | |
Informational | — | super-empty-group | IAM group "super-empty-group" is empty. | Consider removing the IAM groups with no members. | More info |
Users (8)
User name | Groups | Access key age | Password age | Last activity | MFA | Security issues |
---|---|---|---|---|---|---|
cloudsploit | None | 86 days | None | 60 days | Not enabled | 1 Low (details) |
Rony | Administrators, CloudFormationAlllAccess | 88 days | 92 days | Today | Not enabled | 1 Critical + 4 others (details) |
semaProgrammatic | Administrators, CloudFormationAlllAccess | 79 days | None | 75 days | Not enabled | 2 Low (details) |
Sergei | Administrators, CloudFormationAlllAccess | 26 days | 101 days | Today | Not enabled | 1 Critical + 4 others (details) |
ses-smtp-user.20210305-143809 | None | 40 days | None | None | Not enabled | 1 Low (details) |
SysDigMonitor | Administrators | 68 days | None | 31 days | Not enabled | 2 Low (details) |
test | test-group | 74 days | None | None | Virtual | 3 Low (details) |
test2 | test-group, Administrators and 2 more | 72 days | None | None | Not enabled | 2 Low (details) |
Groups (5)
Group name | Users | Inline policy | Creation time | Security issues |
---|---|---|---|---|
Administrators | 7 | ⨉ | — | |
CloudFormationAlllAccess | 4 | ⨉ | — | |
empty-group | 1 | ⨉ | — | |
super-empty-group | 0 | ⨉ | 1 Informational (details) | |
test-group | 2 | ✓ | — |
Roles (94)
Role name | Trusted entities | Last activity | Security issues |
---|---|---|---|
AmazonComprehendMedicalServiceRole-comprehend-role | AWS service: comprehendmedical | 50 days | — |
AmazonComprehendMedicalServiceRole-comprehend-role2 | AWS service: comprehendmedical | 50 days | — |
AmazonComprehendMedicalServiceRole-comprehend-role3 | AWS service: comprehendmedical | 50 days | — |
AmazonComprehendMedicalServiceRole-comprehend-role4 | AWS service: comprehendmedical | 50 days | — |
AmazonComprehendServiceRole-comprehend-role4 | AWS service: comprehend | 50 days | — |
AmazonComprehendServiceRole-new-role | AWS service: comprehend | 50 days | — |
AmazonSageMaker-ExecutionRole-20210218T192806 | AWS service: sagemaker | Today | — |
AmazonSSMRoleForInstancesQuickSetup | AWS service: ec2 | 40 days | — |
amplify-login-lambda-69749404 | AWS service: lambda | None | 1 High (details) |
aws-elasticbeanstalk-ec2-role | AWS service: ec2 | 39 days | — |
aws-elasticbeanstalk-service-role | AWS service: elasticbeanstalk | Today | — |
AWS-QuickSetup-StackSet-Local-AdministrationRole | AWS service: cloudformation | 51 days | — |
AWS-QuickSetup-StackSet-Local-ExecutionRole | Account: 531239714189 | 51 days | 1 High + 1 other (details) |
AWSDataLifecycleManagerDefaultRole | AWS service: dlm | 39 days | — |
AWSDataLifecycleManagerDefaultRoleForAMIManagement | AWS service: dlm | None | 1 High (details) |
AWSServiceRoleForAmazonEKS | AWS service: eks (Service-Linked role) | Today | — |
AWSServiceRoleForAmazonEKSForFargate | AWS service: eks-fargate (Service-Linked role) | Today | — |
AWSServiceRoleForAmazonEKSNodegroup | AWS service: eks-nodegroup (Service-Linked role) | Today | — |
AWSServiceRoleForAmazonElasticFileSystem | AWS service: elasticfilesystem (Service-Linked role) | 16 days | — |
AWSServiceRoleForAmazonElasticsearchService | AWS service: es (Service-Linked role) | 39 days | — |
AWSServiceRoleForAmazonGuardDuty | AWS service: guardduty (Service-Linked role) | 2 days | — |
AWSServiceRoleForAmazonSSM | AWS service: ssm (Service-Linked role) | Today | — |
AWSServiceRoleForAPIGateway | AWS service: ops.apigateway (Service-Linked role) | None | — |
AWSServiceRoleForApplicationAutoScaling_DynamoDBTable | AWS service: dynamodb.application-autoscaling (Service-Linked role) | Today | — |
AWSServiceRoleForAutoScaling | AWS service: autoscaling (Service-Linked role) | Today | — |
AWSServiceRoleForAWSCloud9 | AWS service: cloud9 (Service-Linked role) | 99 days | — |
AWSServiceRoleForAWSLicenseManagerRole | AWS service: license-manager (Service-Linked role) | None | — |
AWSServiceRoleForBackup | AWS service: backup (Service-Linked role) | Today | — |
AWSServiceRoleForConfig | AWS service: config (Service-Linked role) | Today | — |
AWSServiceRoleForDAX | AWS service: dax (Service-Linked role) | 39 days | — |
AWSServiceRoleForEC2Spot | AWS service: spot (Service-Linked role) | None | — |
AWSServiceRoleForECS | AWS service: ecs (Service-Linked role) | Today | — |
AWSServiceRoleForElasticLoadBalancing | AWS service: elasticloadbalancing (Service-Linked role) | 39 days | — |
AWSServiceRoleForEMRCleanup | AWS service: elasticmapreduce (Service-Linked role) | 54 days | — |
AWSServiceRoleForGlobalAccelerator | AWS service: globalaccelerator (Service-Linked role) | None | — |
AWSServiceRoleForMarketplaceLicenseManagement | AWS service: license-management.marketplace (Service-Linked role) | None | — |
AWSServiceRoleForOrganizations | AWS service: organizations (Service-Linked role) | None | — |
AWSServiceRoleForRDS | AWS service: rds (Service-Linked role) | 59 days | — |
AWSServiceRoleForRedshift | AWS service: redshift (Service-Linked role) | 20 days | — |
AWSServiceRoleForSecurityHub | AWS service: securityhub (Service-Linked role) | Today | — |
AWSServiceRoleForSupport | AWS service: support (Service-Linked role) | None | — |
AWSServiceRoleForTrustedAdvisor | AWS service: trustedadvisor (Service-Linked role) | Today | — |
AWSServiceRoleForTrustedAdvisorReporting | AWS service: reporting.trustedadvisor (Service-Linked role) | None | — |
AWSTransferLoggingAccess | AWS service: transfer | Today | — |
CloudWatch_Logs | AWS service: cloudtrail | 64 days | — |
Custom-Tufin-CSPM-Role | Account: 977996679567:root | Today | — |
DAXtoDynamoDB | AWS service: dax | None | 1 High (details) |
delete-cognito-user-role-q2op2vim | AWS service: lambda | 38 days | — |
dms-vpc-role | AWS service: dms | 39 days | — |
ecsSpotFleetRole | AWS service: spotfleet | None | 1 High (details) |
ecsTaskExecutionRole | AWS service: ecs-tasks | Today | — |
eksctl-beautiful-outfit-161172726-NodeInstanceRole-18I5YOWHLL5DY | AWS service: ec2 | 39 days | — |
eksctl-beautiful-outfit-1611727262-clu-ServiceRole-1WXIOZKL195SR | AWS service: eks and 1 more | Today | — |
eksctl-rony-fargate-west2-cluster-ServiceRole-1TYN18LVNBC46 | AWS service: eks-fargate-pods and 1 more | Today | — |
eksctl-rony-fargate-west2-FargatePodExecutionRole-KIE90LR0G9XC | AWS service: eks and 1 more | Today | — |
eksctl-rony-slim-and-mean-cluster-ServiceRole-19NI3K6LIUIBQ | AWS service: eks and 1 more | Today | — |
eksctl-rony-slim-and-mean-FargatePodExecutionRole-170KFVJAHI1P9 | AWS service: eks and 1 more | Today | — |
eksctl-rony-west2test-cluster-addon-iamservi-Role1-16WWIXB7QKFI9 | Identity provider: arn:aws:iam::531239714189:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/B0BA48164F5E5DF358B27DD02880AF89 | Today | — |
eksctl-rony-west2test-cluster-cluster-ServiceRole-LOCK64MID329 | AWS service: eks and 1 more | Today | — |
eksctl-rony-west2test-cluster-nod-NodeInstanceRole-1FLCF3NMC0XSB | AWS service: ec2 | Today | — |
eksctl-ronyfargatefeb3rd53-FargatePodExecutionRole-1IN7JSEHE1UXT | AWS service: eks-fargate-pods and 1 more | 70 days | — |
eksctl-ronyfargatefeb3rd531-cluster-ServiceRole-6QNWVR4L4DG1 | AWS service: eks-fargate-pods and 1 more | Today | — |
eksctl-scan-my-fargateclus-FargatePodExecutionRole-1H0T6K0253C80 | AWS service: eks and 1 more | 39 days | — |
eksctl-scan-my-fargatecluster-cluster-ServiceRole-1F34FKH9GB6RI | AWS service: eks and 1 more | Today | — |
eksctl-test-fargate-west2-cluster-ServiceRole-1V6YSZ8GMQ14B | AWS service: eks and 1 more | Today | — |
eksctl-test-fargate-west2-FargatePodExecutionRole-ARW26FTHSM0N | AWS service: eks and 1 more | Today | — |
EMR_AutoScaling_DefaultRole | AWS service: application-autoscaling and 1 more | None | 1 High (details) |
EMR_DefaultRole | AWS service: elasticmapreduce | 55 days | — |
EMR_EC2_DefaultRole | AWS service: ec2 | 55 days | — |
hello-world-python-role-ufk4srq3 | AWS service: lambda | 99 days | 1 Low (details) |
HelloWorldFunction-role-s1r5k0x0 | AWS service: lambda | 39 days | — |
InlineSecureScanningInvokeRole | AWS service: events | 16 days | — |
InlineSecureScanningServiceRole | AWS service: codebuild | 16 days | — |
KinesisFirehoseServiceRole-my-delivery-s-us-east-1-1614217673119 | AWS service: firehose | 48 days | — |
KinesisFirehoseServiceRole-stream3-us-east-1-1614218937171 | AWS service: firehose | None | 1 High (details) |
KinesisFirehoseServiceRole-test-stream2-us-east-1-1614218524308 | AWS service: firehose | 48 days | — |
my-function-role-zttzjp7f | AWS service: lambda | 20 days | — |
my-role-api-logging | AWS service: apigateway | 46 days | — |
my-test-role-no-policies | Account: 531239714189:root | None | 2 High (details) |
rds-monitoring-role | AWS service: monitoring.rds | 59 days | — |
role-my-trail | AWS service: cloudtrail | Today | — |
rolew-Sophos-Optix-cloudtrail | AWS service: cloudtrail | 37 days | — |
ronyec2 | AWS service: ec2 | Today | — |
Sophos-Optix-Role | Account: 195990147830:root | 61 days | — |
StepFunctions-HelloWorld-role-3938622e | AWS service: states | None | 1 High (details) |
test | AWS service: lambda | Yesterday | — |
test-role-2f4mny1g | AWS service: lambda | 17 days | — |
test-role-4x8goany | AWS service: lambda | 27 days | — |
test-role-5z4s12tw | AWS service: lambda | None | 1 High (details) |
test-role-6hqjw25g | AWS service: lambda | Yesterday | — |
test-role-7t69h250 | AWS service: lambda | 16 days | — |
test-role-ciovjvkl | AWS service: lambda | 27 days | — |
test-role-e90ltcu0 | AWS service: lambda | None | 1 High (details) |
test-role-fufjld2t | AWS service: lambda | 27 days | — |