AWSTemplateFormatVersion: 2010-09-09 Description: Best practice for IAM (fdp-1r7kea6g8) Outputs: ConformancePackDeployed: Description: Conformance Pack Value: !Ref SCConformancePackIAM ConformancePackConsole: Description: Link to conformance pack console Value: !Sub >- https://${AWS::Region}.console.aws.amazon.com/config/home?region=${AWS::Region}&v2=true#/conformance-packs Parameters: IAMUserUnusedCredentialsCheckParameterMaxCredentialUsageAge: Description: >- Maximum number of days a credential cannot be used. The default value is 90 days. Type: String Default: 90 AccessKeysRotatedParameterMaxAccessKeyAge: Description: Maximum number of days without rotation. Default 90. Type: String Default: 90 IAMPolicyBlacklistedCheckParameterPolicyArns: Description: Comma-separated list of IAM policy ARNs that should not be attached to any IAM entity. Type: String Default: "arn:aws:iam::aws:policy/AdministratorAccess" IAMRoleManagedPolicyCheckParameterManagedPolicyArns: Description: Comma-separated list of AWS managed policy ARNs. Type: String Default: "arn:aws:iam::aws:policy/AdministratorAccess" Resources: SCConformancePackIAM: Type: 'AWS::Config::ConformancePack' Properties: ConformancePackInputParameters: - ParameterName: IAMUserUnusedCredentialsCheckParameterMaxCredentialUsageAge ParameterValue: !Ref IAMUserUnusedCredentialsCheckParameterMaxCredentialUsageAge - ParameterName: AccessKeysRotatedParameterMaxAccessKeyAge ParameterValue: !Ref AccessKeysRotatedParameterMaxAccessKeyAge - ParameterName: IAMPolicyBlacklistedCheckParameterPolicyArns ParameterValue: !Ref IAMPolicyBlacklistedCheckParameterPolicyArns - ParameterName: IAMRoleManagedPolicyCheckParameterManagedPolicyArns ParameterValue: !Ref IAMRoleManagedPolicyCheckParameterManagedPolicyArns ConformancePackName: !Join - '' - - OperationalBestPracticesIAM - !Select - 1 - !Split - '-' - !Select - 2 - !Split - / - !Ref 'AWS::StackId' DeliveryS3Bucket: '{{resolve:ssm:/conformancepack/deliverybucket:1}}' TemplateBody: |- Parameters: AccessKeysRotatedParameterMaxAccessKeyAge: Description: Maximum number of days without rotation. Default 90. Type: String IAMPolicyBlacklistedCheckParameterPolicyArns: Description: Comma-separated list of IAM policy ARNs that should not be attached to any IAM entity. Type: String IAMRoleManagedPolicyCheckParameterManagedPolicyArns: Description: Comma-separated list of AWS managed policy ARNs. Type: String IAMUserUnusedCredentialsCheckParameterMaxCredentialUsageAge: Description: Maximum number of days a credential cannot be used. The default value is 90 days. Type: String Resources: AccessKeysRotated: Properties: ConfigRuleName: AccessKeysRotated Description: Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is non-compliant if the access keys have not been rotated for more than maxAccessKeyAge number of days. InputParameters: maxAccessKeyAge: Ref: AccessKeysRotatedParameterMaxAccessKeyAge Source: Owner: AWS SourceIdentifier: ACCESS_KEYS_ROTATED Type: AWS::Config::ConfigRule IAMGroupHasUsersCheck: Properties: ConfigRuleName: IAMGroupHasUsersCheck Description: Checks whether IAM groups have at least one IAM user. Source: Owner: AWS SourceIdentifier: IAM_GROUP_HAS_USERS_CHECK Type: AWS::Config::ConfigRule IAMPasswordPolicy: Properties: ConfigRuleName: IAMPasswordPolicy Description: Checks whether the account password policy for IAM users meets the specified requirements. Source: Owner: AWS SourceIdentifier: IAM_PASSWORD_POLICY Type: AWS::Config::ConfigRule IAMPolicyBlacklistedCheck: Properties: ConfigRuleName: IAMPolicyBlacklistedCheck Description: Checks that none of your IAM users, groups, or roles (excluding exceptionList) have the specified policies attached. InputParameters: policyArns: Ref: IAMPolicyBlacklistedCheckParameterPolicyArns Source: Owner: AWS SourceIdentifier: IAM_POLICY_BLACKLISTED_CHECK Type: AWS::Config::ConfigRule IAMPolicyNoStatementsWithAdminAccess: Properties: ConfigRuleName: IAMPolicyNoStatementsWithAdminAccess Description: Checks whether the default version of AWS Identity and Access Management (IAM) policies do not have administrator access. If any statement has "Effect" "Allow" with "Action" "*" over "Resource" "*", the rule is non-compliant.' Source: Owner: AWS SourceIdentifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS Type: AWS::Config::ConfigRule IAMRoleManagedPolicyCheck: Properties: ConfigRuleName: IAMRoleManagedPolicyCheck Description: Checks that the AWS Identity and Access Management (IAM) role is attached to all AWS managed policies specified in the list of managed policies. The rule is non-compliant if the IAM role is not attached to the AWS managed policy. InputParameters: managedPolicyArns: Ref: IAMRoleManagedPolicyCheckParameterManagedPolicyArns Source: Owner: AWS SourceIdentifier: IAM_ROLE_MANAGED_POLICY_CHECK Type: AWS::Config::ConfigRule IAMRootAccessKeyCheck: Properties: ConfigRuleName: IAMRootAccessKeyCheck Description: Checks whether the root user access key is available. The rule is compliant if the user access key does not exist. Source: Owner: AWS SourceIdentifier: IAM_ROOT_ACCESS_KEY_CHECK Type: AWS::Config::ConfigRule IAMUserGroupMembershipCheck: Properties: ConfigRuleName: IAMUserGroupMembershipCheck Description: Checks whether IAM users are members of at least one IAM group. Source: Owner: AWS SourceIdentifier: IAM_USER_GROUP_MEMBERSHIP_CHECK Type: AWS::Config::ConfigRule IAMUserMFAEnabled: Properties: ConfigRuleName: IAMUserMFAEnabled Description: Checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled. Source: Owner: AWS SourceIdentifier: IAM_USER_MFA_ENABLED Type: AWS::Config::ConfigRule IAMUserNoPoliciesCheck: Properties: ConfigRuleName: IAMUserNoPoliciesCheck Description: Checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles. Source: Owner: AWS SourceIdentifier: IAM_USER_NO_POLICIES_CHECK Type: AWS::Config::ConfigRule IAMUserUnusedCredentialsCheck: Properties: ConfigRuleName: IAMUserUnusedCredentialsCheck Description: Checks whether your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided. InputParameters: maxCredentialUsageAge: Ref: IAMUserUnusedCredentialsCheckParameterMaxCredentialUsageAge Source: Owner: AWS SourceIdentifier: IAM_USER_UNUSED_CREDENTIALS_CHECK Type: AWS::Config::ConfigRule MFAEnabledForIAMConsoleAccess: Properties: ConfigRuleName: MFAEnabledForIAMConsoleAccess Description: Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. The rule is compliant if MFA is enabled. Source: Owner: AWS SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS Type: AWS::Config::ConfigRule RootAccountHardwareMFAEnabled: Properties: ConfigRuleName: RootAccountHardwareMFAEnabled Description: Checks whether your AWS account is enabled to use a multi-factor authentication (MFA) hardware device to sign in with root credentials. Source: Owner: AWS SourceIdentifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED Type: AWS::Config::ConfigRule RootAccountMFAEnabled: Properties: ConfigRuleName: RootAccountMFAEnabled Description: Checks whether the root user of your AWS account requires multi-factor authentication for console sign-in. Source: Owner: AWS SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED Type: AWS::Config::ConfigRule