Amazon IAM

Overview
Critical
2
High
12
Medium
8
Low
20
Informational
1
Security issues (43)
Severity Non-Compliance Resource Issue Remediation Read more Action
Medium CIS 1.5 PCI DSS 8.4 IAM The root user does not use any Multi-factor authentication (MFA) device. Enable an MFA device for AWS account root user. More info
Medium IAM Account password policy for IAM users does not require the use of symbols, as per CIS controls 1.7. Set a custom password policy on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords. More info
Medium IAM Account password policy for IAM users does not require the use of uppercase letters, as per CIS controls 1.5. Set a custom password policy on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords. More info
Medium IAM Account password policy for IAM users does not require the use of lowercase letters, as per CIS controls 1.6. Set a custom password policy on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords. More info
Low IAM Account password policy for IAM users allows the re-use of the last four passwords or less, not meeting the PCI DSS Requirement 8.2.5. Set a custom password policy on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords. More info
Medium IAM Account password policy for IAM users for password expiration is not set, not meeting the PCI DSS Requirement 8.2.4. Set a custom password policy on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords. More info
Medium PCI DSS 8.4 root The root user does not have Multi-factor authentication (MFA) enabled. PCI DSS Requirement 8.3: Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication. More info
Medium CIS 1.10 PCI DSS 8.4 Rony IAM user "Rony" does not have Multi-factor authentication (MFA) enabled. PCI DSS Requirement 8.3: Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access. More info
Low CIS 1.11 Rony IAM user "Rony" has both an access key for programmatic access and a password to sign-in to the AWS Management Console. Consider creating a separate IAM user for programmatic access. More info
Critical Rony IAM user "Rony" has two access keys. While doing so makes rotation easier, having both access keys enabled increases the risk of a data breach. Delete or deactivate the first access key for the user "Rony". More info
Low Rony IAM user "Rony" has attached IAM policies. Ensure IAM policies are attached only to groups or roles. More info
Low Rony IAM user "Rony" is among 8 IAM user administrators. Every additional administrator increases the risk of a data breach. Keep 2 IAM users with administrative permissions, while giving other IAM users a unique set of security credentials. More info
Medium CIS 1.10 PCI DSS 8.4 Sergei IAM user "Sergei" does not have Multi-factor authentication (MFA) enabled. PCI DSS Requirement 8.3: Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access. More info
Low CIS 1.11 Sergei IAM user "Sergei" has both an access key for programmatic access and a password to sign-in to the AWS Management Console. Consider creating a separate IAM user for programmatic access. More info
Critical Sergei IAM user "Sergei" has two access keys. While doing so makes rotation easier, having both access keys enabled increases the risk of a data breach. Delete or deactivate the first access key for the user "Sergei". More info
Low Sergei IAM user "Sergei" has inline IAM policies. Ensure IAM policies are attached only to groups or roles. More info
Low Sergei IAM user "Sergei" is among 8 IAM user administrators. Every additional administrator increases the risk of a data breach. Keep 2 IAM users with administrative permissions, while giving other IAM users a unique set of security credentials. More info
Low cloudsploit IAM user "cloudsploit" has attached IAM policies. Ensure IAM policies are attached only to groups or roles. More info
Low semaProgrammatic IAM user "semaProgrammatic" has attached IAM policies. Ensure IAM policies are attached only to groups or roles. More info
Low semaProgrammatic IAM user "semaProgrammatic" is among 8 IAM user administrators. Every additional administrator increases the risk of a data breach. Keep 2 IAM users with administrative permissions, while giving other IAM users a unique set of security credentials. More info
Low ses-smtp-user.20210305-143809 IAM user "ses-smtp-user.20210305-143809" has inline IAM policies. Ensure IAM policies are attached only to groups or roles. More info
Low SysDigMonitor IAM user "SysDigMonitor" has attached IAM policies. Ensure IAM policies are attached only to groups or roles. More info
Low SysDigMonitor IAM user "SysDigMonitor" is among 8 IAM user administrators. Every additional administrator increases the risk of a data breach. Keep 2 IAM users with administrative permissions, while giving other IAM users a unique set of security credentials. More info
Low test IAM user "test" has inline group policy "test-inline-policy-for-group". Security best practices in IAM recommend using managed policies instead of inline policies. More info
Low test IAM user "test" has attached IAM policies. Ensure IAM policies are attached only to groups or roles. More info
Low test IAM user "test" is among 8 IAM user administrators. Every additional administrator increases the risk of a data breach. Keep 2 IAM users with administrative permissions, while giving other IAM users a unique set of security credentials. More info
Low test2 IAM user "test2" has inline group policy "test-inline-policy-for-group". Security best practices in IAM recommend using managed policies instead of inline policies. More info
Low test2 IAM user "test2" is among 8 IAM user administrators. Every additional administrator increases the risk of a data breach. Keep 2 IAM users with administrative permissions, while giving other IAM users a unique set of security credentials. More info
High amplify-login-lambda-69749404 IAM role "amplify-login-lambda-69749404" was never used. Consider removing the IAM roles that you are not using. More info
High AWS-QuickSetup-StackSet-Local-ExecutionRole IAM role "AWS-QuickSetup-StackSet-Local-ExecutionRole" must require either MFA or an external ID to designate who can assume the role. The role's misconfigured account is: "arn:aws:iam::531239714189:role/AWS-QuickSetup-StackSet-Local-AdministrationRole". Update the IAM role, making sure it uses either MFA or an external ID to designate who can assume the role. More info
Low AWS-QuickSetup-StackSet-Local-ExecutionRole IAM role "AWS-QuickSetup-StackSet-Local-ExecutionRole" contains managed AdministratorAccess policy. Consider tightening the IAM role policies by granting them least privilege and avoid the wildcards, if possible. More info
High service-role/AWSDataLifecycleManagerDefaultRoleForAMIManagement IAM role "AWSDataLifecycleManagerDefaultRoleForAMIManagement" was never used. Consider removing the IAM roles that you are not using. More info
High service-role/DAXtoDynamoDB IAM role "DAXtoDynamoDB" was never used. Consider removing the IAM roles that you are not using. More info
High ecsSpotFleetRole IAM role "ecsSpotFleetRole" was never used. Consider removing the IAM roles that you are not using. More info
High EMR_AutoScaling_DefaultRole IAM role "EMR_AutoScaling_DefaultRole" was never used. Consider removing the IAM roles that you are not using. More info
Low service-role/hello-world-python-role-ufk4srq3 IAM role "hello-world-python-role-ufk4srq3" was inactive for more than 90 days. Consider removing the IAM roles that you are not using. More info
High service-role/KinesisFirehoseServiceRole-stream3-us-east-1-1614218937171 IAM role "KinesisFirehoseServiceRole-stream3-us-east-1-1614218937171" was never used. Consider removing the IAM roles that you are not using. More info
High my-test-role-no-policies IAM role "my-test-role-no-policies" must require either MFA or an external ID to designate who can assume the role. The role's misconfigured account is: "arn:aws:iam::531239714189:root". Update the IAM role, making sure it uses either MFA or an external ID to designate who can assume the role. More info
High my-test-role-no-policies IAM role "my-test-role-no-policies" was never used. Consider removing the IAM roles that you are not using. More info
High service-role/StepFunctions-HelloWorld-role-3938622e IAM role "StepFunctions-HelloWorld-role-3938622e" was never used. Consider removing the IAM roles that you are not using. More info
High service-role/test-role-5z4s12tw IAM role "test-role-5z4s12tw" was never used. Consider removing the IAM roles that you are not using. More info
High service-role/test-role-e90ltcu0 IAM role "test-role-e90ltcu0" was never used. Consider removing the IAM roles that you are not using. More info
Informational super-empty-group IAM group "super-empty-group" is empty. Consider removing the IAM groups with no members. More info
Users (8)
User name Groups Access key age Password age Last activity MFA Security issues
cloudsploit None 86 days None 60 days Not enabled 1 Low (details)
Rony Administrators, CloudFormationAlllAccess 88 days 92 days Today Not enabled 1 Critical + 4 others (details)
semaProgrammatic Administrators, CloudFormationAlllAccess 79 days None 75 days Not enabled 2 Low (details)
Sergei Administrators, CloudFormationAlllAccess 26 days 101 days Today Not enabled 1 Critical + 4 others (details)
ses-smtp-user.20210305-143809 None 40 days None None Not enabled 1 Low (details)
SysDigMonitor Administrators 68 days None 31 days Not enabled 2 Low (details)
test test-group 74 days None None Virtual 3 Low (details)
test2 test-group, Administrators and 2 more 72 days None None Not enabled 2 Low (details)
Groups (5)
Group name Users Inline policy Creation time Security issues
Administrators 7
CloudFormationAlllAccess 4
empty-group 1
super-empty-group 0 1 Informational (details)
test-group 2
Roles (94)
Role name Trusted entities Last activity Security issues
AmazonComprehendMedicalServiceRole-comprehend-role AWS service: comprehendmedical 50 days
AmazonComprehendMedicalServiceRole-comprehend-role2 AWS service: comprehendmedical 50 days
AmazonComprehendMedicalServiceRole-comprehend-role3 AWS service: comprehendmedical 50 days
AmazonComprehendMedicalServiceRole-comprehend-role4 AWS service: comprehendmedical 50 days
AmazonComprehendServiceRole-comprehend-role4 AWS service: comprehend 50 days
AmazonComprehendServiceRole-new-role AWS service: comprehend 50 days
AmazonSageMaker-ExecutionRole-20210218T192806 AWS service: sagemaker Today
AmazonSSMRoleForInstancesQuickSetup AWS service: ec2 40 days
amplify-login-lambda-69749404 AWS service: lambda None 1 High (details)
aws-elasticbeanstalk-ec2-role AWS service: ec2 39 days
aws-elasticbeanstalk-service-role AWS service: elasticbeanstalk Today
AWS-QuickSetup-StackSet-Local-AdministrationRole AWS service: cloudformation 51 days
AWS-QuickSetup-StackSet-Local-ExecutionRole Account: 531239714189 51 days 1 High + 1 other (details)
AWSDataLifecycleManagerDefaultRole AWS service: dlm 39 days
AWSDataLifecycleManagerDefaultRoleForAMIManagement AWS service: dlm None 1 High (details)
AWSServiceRoleForAmazonEKS AWS service: eks (Service-Linked role) Today
AWSServiceRoleForAmazonEKSForFargate AWS service: eks-fargate (Service-Linked role) Today
AWSServiceRoleForAmazonEKSNodegroup AWS service: eks-nodegroup (Service-Linked role) Today
AWSServiceRoleForAmazonElasticFileSystem AWS service: elasticfilesystem (Service-Linked role) 16 days
AWSServiceRoleForAmazonElasticsearchService AWS service: es (Service-Linked role) 39 days
AWSServiceRoleForAmazonGuardDuty AWS service: guardduty (Service-Linked role) 2 days
AWSServiceRoleForAmazonSSM AWS service: ssm (Service-Linked role) Today
AWSServiceRoleForAPIGateway AWS service: ops.apigateway (Service-Linked role) None
AWSServiceRoleForApplicationAutoScaling_DynamoDBTable AWS service: dynamodb.application-autoscaling (Service-Linked role) Today
AWSServiceRoleForAutoScaling AWS service: autoscaling (Service-Linked role) Today
AWSServiceRoleForAWSCloud9 AWS service: cloud9 (Service-Linked role) 99 days
AWSServiceRoleForAWSLicenseManagerRole AWS service: license-manager (Service-Linked role) None
AWSServiceRoleForBackup AWS service: backup (Service-Linked role) Today
AWSServiceRoleForConfig AWS service: config (Service-Linked role) Today
AWSServiceRoleForDAX AWS service: dax (Service-Linked role) 39 days
AWSServiceRoleForEC2Spot AWS service: spot (Service-Linked role) None
AWSServiceRoleForECS AWS service: ecs (Service-Linked role) Today
AWSServiceRoleForElasticLoadBalancing AWS service: elasticloadbalancing (Service-Linked role) 39 days
AWSServiceRoleForEMRCleanup AWS service: elasticmapreduce (Service-Linked role) 54 days
AWSServiceRoleForGlobalAccelerator AWS service: globalaccelerator (Service-Linked role) None
AWSServiceRoleForMarketplaceLicenseManagement AWS service: license-management.marketplace (Service-Linked role) None
AWSServiceRoleForOrganizations AWS service: organizations (Service-Linked role) None
AWSServiceRoleForRDS AWS service: rds (Service-Linked role) 59 days
AWSServiceRoleForRedshift AWS service: redshift (Service-Linked role) 20 days
AWSServiceRoleForSecurityHub AWS service: securityhub (Service-Linked role) Today
AWSServiceRoleForSupport AWS service: support (Service-Linked role) None
AWSServiceRoleForTrustedAdvisor AWS service: trustedadvisor (Service-Linked role) Today
AWSServiceRoleForTrustedAdvisorReporting AWS service: reporting.trustedadvisor (Service-Linked role) None
AWSTransferLoggingAccess AWS service: transfer Today
CloudWatch_Logs AWS service: cloudtrail 64 days
Custom-Tufin-CSPM-Role Account: 977996679567:root Today
DAXtoDynamoDB AWS service: dax None 1 High (details)
delete-cognito-user-role-q2op2vim AWS service: lambda 38 days
dms-vpc-role AWS service: dms 39 days
ecsSpotFleetRole AWS service: spotfleet None 1 High (details)
ecsTaskExecutionRole AWS service: ecs-tasks Today
eksctl-beautiful-outfit-161172726-NodeInstanceRole-18I5YOWHLL5DY AWS service: ec2 39 days
eksctl-beautiful-outfit-1611727262-clu-ServiceRole-1WXIOZKL195SR AWS service: eks and 1 more Today
eksctl-rony-fargate-west2-cluster-ServiceRole-1TYN18LVNBC46 AWS service: eks-fargate-pods and 1 more Today
eksctl-rony-fargate-west2-FargatePodExecutionRole-KIE90LR0G9XC AWS service: eks and 1 more Today
eksctl-rony-slim-and-mean-cluster-ServiceRole-19NI3K6LIUIBQ AWS service: eks and 1 more Today
eksctl-rony-slim-and-mean-FargatePodExecutionRole-170KFVJAHI1P9 AWS service: eks and 1 more Today
eksctl-rony-west2test-cluster-addon-iamservi-Role1-16WWIXB7QKFI9 Identity provider: arn:aws:iam::531239714189:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/B0BA48164F5E5DF358B27DD02880AF89 Today
eksctl-rony-west2test-cluster-cluster-ServiceRole-LOCK64MID329 AWS service: eks and 1 more Today
eksctl-rony-west2test-cluster-nod-NodeInstanceRole-1FLCF3NMC0XSB AWS service: ec2 Today
eksctl-ronyfargatefeb3rd53-FargatePodExecutionRole-1IN7JSEHE1UXT AWS service: eks-fargate-pods and 1 more 70 days
eksctl-ronyfargatefeb3rd531-cluster-ServiceRole-6QNWVR4L4DG1 AWS service: eks-fargate-pods and 1 more Today
eksctl-scan-my-fargateclus-FargatePodExecutionRole-1H0T6K0253C80 AWS service: eks and 1 more 39 days
eksctl-scan-my-fargatecluster-cluster-ServiceRole-1F34FKH9GB6RI AWS service: eks and 1 more Today
eksctl-test-fargate-west2-cluster-ServiceRole-1V6YSZ8GMQ14B AWS service: eks and 1 more Today
eksctl-test-fargate-west2-FargatePodExecutionRole-ARW26FTHSM0N AWS service: eks and 1 more Today
EMR_AutoScaling_DefaultRole AWS service: application-autoscaling and 1 more None 1 High (details)
EMR_DefaultRole AWS service: elasticmapreduce 55 days
EMR_EC2_DefaultRole AWS service: ec2 55 days
hello-world-python-role-ufk4srq3 AWS service: lambda 99 days 1 Low (details)
HelloWorldFunction-role-s1r5k0x0 AWS service: lambda 39 days
InlineSecureScanningInvokeRole AWS service: events 16 days
InlineSecureScanningServiceRole AWS service: codebuild 16 days
KinesisFirehoseServiceRole-my-delivery-s-us-east-1-1614217673119 AWS service: firehose 48 days
KinesisFirehoseServiceRole-stream3-us-east-1-1614218937171 AWS service: firehose None 1 High (details)
KinesisFirehoseServiceRole-test-stream2-us-east-1-1614218524308 AWS service: firehose 48 days
my-function-role-zttzjp7f AWS service: lambda 20 days
my-role-api-logging AWS service: apigateway 46 days
my-test-role-no-policies Account: 531239714189:root None 2 High (details)
rds-monitoring-role AWS service: monitoring.rds 59 days
role-my-trail AWS service: cloudtrail Today
rolew-Sophos-Optix-cloudtrail AWS service: cloudtrail 37 days
ronyec2 AWS service: ec2 Today
Sophos-Optix-Role Account: 195990147830:root 61 days
StepFunctions-HelloWorld-role-3938622e AWS service: states None 1 High (details)
test AWS service: lambda Yesterday
test-role-2f4mny1g AWS service: lambda 17 days
test-role-4x8goany AWS service: lambda 27 days
test-role-5z4s12tw AWS service: lambda None 1 High (details)
test-role-6hqjw25g AWS service: lambda Yesterday
test-role-7t69h250 AWS service: lambda 16 days
test-role-ciovjvkl AWS service: lambda 27 days
test-role-e90ltcu0 AWS service: lambda None 1 High (details)
test-role-fufjld2t AWS service: lambda 27 days