AWSTemplateFormatVersion: 2010-09-09 Description: This template automatically deploy the AWS Config Conformance Pack for Operational Best Practices for AWS Identity And Access Management. Please note resource charges for S3 buckets, Config and Conformance pack will apply. Parameters: ConformancePackDeliveryBucket: Type: String Description: AWS Config stores intermediate files while processing conformance pack template. Please enter thename of the bucket that has been configured already for conformance pack to deliver to deliver findings. MaxAgeAccessKeyRotated: Type: String Description: This is a parameter for the conformance pack. Enter the IAM Access Key Maximum number of days without rotation. Default 90 Default: '90' BlackListedIAMPolicyARN: Type: String Default: 'arn:aws:iam::aws:policy/PowerUserAccess' Description: >- This is a parameter for the conformance pack. Enter a Comma-separated list of IAM policy ARNs that should not be attached to any IAM entity. We provide as the PowerUserAccess for sample purposes only. Feel free to enter asnother policy ARN IAMUserUnusedCredentialAge: Type: String Description: >- This is a parameter for the conformance pack. Maximum number of days a credential cannot be used. The default value is 90 days. Default: '90' Resources: ConformancePack: Type: 'AWS::Config::ConformancePack' Properties: ConformancePackName: IAMBestPractices ConformancePackInputParameters: - ParameterName: AccessKeysRotatedParameterMaxAccessKeyAge ParameterValue: !Ref MaxAgeAccessKeyRotated - ParameterName: IAMPolicyBlacklistedCheckParameterPolicyArns ParameterValue: !Ref BlackListedIAMPolicyARN - ParameterName: IAMUserUnusedCredentialsCheckParameterMaxCredentialUsageAge ParameterValue: !Ref IAMUserUnusedCredentialAge DeliveryS3Bucket: !Ref ConformancePackDeliveryBucket TemplateBody: |- Parameters: AccessKeysRotatedParameterMaxAccessKeyAge: Description: Maximum number of days without rotation. Default 90. Type: String IAMPolicyBlacklistedCheckParameterPolicyArns: Description: Comma-separated list of IAM policy ARNs that should not be attached to any IAM entity. Type: String IAMUserUnusedCredentialsCheckParameterMaxCredentialUsageAge: Description: Maximum number of days a credential cannot be used. The default value is 90 days. Type: String Resources: AccessKeysRotated: Properties: ConfigRuleName: AccessKeysRotated Description: Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is non-compliant if the access keys have not been rotated for more than maxAccessKeyAge number of days. InputParameters: maxAccessKeyAge: Ref: AccessKeysRotatedParameterMaxAccessKeyAge Source: Owner: AWS SourceIdentifier: ACCESS_KEYS_ROTATED Type: AWS::Config::ConfigRule IAMGroupHasUsersCheck: Properties: ConfigRuleName: IAMGroupHasUsersCheck Description: Checks whether IAM groups have at least one IAM user. Source: Owner: AWS SourceIdentifier: IAM_GROUP_HAS_USERS_CHECK Type: AWS::Config::ConfigRule IAMPasswordPolicy: Properties: ConfigRuleName: IAMPasswordPolicy Description: Checks whether the account password policy for IAM users meets the specified requirements. Source: Owner: AWS SourceIdentifier: IAM_PASSWORD_POLICY Type: AWS::Config::ConfigRule IAMPolicyBlacklistedCheck: Properties: ConfigRuleName: IAMPolicyBlacklistedCheck Description: Checks that none of your IAM users, groups, or roles (excluding exceptionList) have the specified policies attached. InputParameters: policyArns: Ref: IAMPolicyBlacklistedCheckParameterPolicyArns Source: Owner: AWS SourceIdentifier: IAM_POLICY_BLACKLISTED_CHECK Type: AWS::Config::ConfigRule IAMPolicyNoStatementsWithAdminAccess: Properties: ConfigRuleName: IAMPolicyNoStatementsWithAdminAccess Source: Owner: AWS SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS Type: AWS::Config::ConfigRule IAMRootAccessKeyCheck: Properties: ConfigRuleName: IAMRootAccessKeyCheck Description: Checks whether the root user access key is available. The rule is compliant if the user access key does not exist. Source: Owner: AWS SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK Type: AWS::Config::ConfigRule IAMUserGroupMembershipCheck: Properties: ConfigRuleName: IAMUserGroupMembershipCheck Description: Checks whether IAM users are members of at least one IAM group. Source: Owner: AWS SourceIdentifier: IAM_USER_GROUP_MEMBERSHIP_CHECK Type: AWS::Config::ConfigRule IAMUserMFAEnabled: Properties: ConfigRuleName: IAMUserMFAEnabled Description: Checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled. Source: Owner: AWS SourceIdentifier: IAM_USER_MFA_ENABLED Type: AWS::Config::ConfigRule IAMUserNoPoliciesCheck: Properties: ConfigRuleName: IAMUserNoPoliciesCheck Description: Checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles. Source: Owner: AWS SourceIdentifier: IAM_USER_NO_POLICIES_CHECK Type: AWS::Config::ConfigRule IAMUserUnusedCredentialsCheck: Properties: ConfigRuleName: IAMUserUnusedCredentialsCheck Description: Checks whether your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided. InputParameters: maxCredentialUsageAge: Ref: IAMUserUnusedCredentialsCheckParameterMaxCredentialUsageAge Source: Owner: AWS SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK Type: AWS::Config::ConfigRule MFAEnabledForIAMConsoleAccess: Properties: ConfigRuleName: MFAEnabledForIAMConsoleAccess Description: Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. The rule is compliant if MFA is enabled. Source: Owner: AWS SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS Type: AWS::Config::ConfigRule RootAccountHardwareMFAEnabled: Properties: ConfigRuleName: RootAccountHardwareMFAEnabled Description: Checks whether your AWS account is enabled to use a multi-factor authentication (MFA) hardware device to sign in with root credentials. Source: Owner: AWS SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED Type: AWS::Config::ConfigRule RootAccountMFAEnabled: Properties: ConfigRuleName: RootAccountMFAEnabled Description: Checks whether the root user of your AWS account requires multi-factor authentication for console sign-in. Source: Owner: AWS SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED Type: AWS::Config::ConfigRule