A collection of AWS Security controls for IAM. Controls include Access Analyzer, IAM Password Policy, IAM policies, CloudWatch events and alarms for monitoring as well as Config rules. Configuration templates are available in AWS CloudFormation, AWS CLI and Terraform

SSO
SSO Permission Set

An SSO permission set is a template that defines a collection of one or more IAM policies. A permission set is applied to allow SSO principals (users or groups) access to one or more AWS accounts.

CloudFormationTerraformAWS CLI
SSO Assignment

A configuration template to assign access to a specified principal (SSO Group or User) to an AWS account using an SSO Permission Set

CloudFormationTerraformAWS CLI
Permission Set for IAM Identity Center with Customer Managed Policies

This template creates a custom permission set, `PermissionSetWithCmpPb`, with policies attached and a customer managed policy as a permissions boundary. The permission set is created within a specified IAM Identity Center instance. The template specifies the instance ARN, name, description, session duration, managed policies, customer managed policy references, and permissions boundary.

CloudFormation
Custom Permission Set with Assignment for IAM Identity Center

This template creates a custom permission set, `PermissionSet`, with a managed policies attachment (AdministratorAccess policy). The permission set is created within a specified IAM Identity Center instance, and creates an assignment for the AWS account Id 123456789012 and the user `my_admin_user`

CloudFormation
Access Control Attribute Example

This template enables the attribute-based access control (ABAC) feature for the specified IAM Identity Center instance. It creates a new attribute key `CostCenter` that is mapped to the value `“${path:enterprise.costCenter}”` which is coming from the identity source.

CloudFormation
SSO Assignment for IAM Identity Center

This template creates a custom assignment for the IAM Identity Center. It assigns the user with the ID 'user_id' access to the AWS account with the ID 'accountId' in the specified AWS SSO instance. The assignment is made using the permission set specified by the 'PermissionSetArn' property.

CloudFormation
IAM
IAM Role

Configuration for creating an IAM role in an AWS account and optionally an EC2 Instance Profile. The template also includes options for customizing the access granted to the role using inline and managed IAM policies.

CloudFormationTerraformAWS CLI
IAM User

Configuration for creating an IAM user in an AWS account and optionally enable console access with a temporary password. 

CloudFormationTerraformAWS CLI
IAM Access Analyzer

Configure Access Analyzer to discover which resources in an AWS account are shared with external principals outside of the account. Access Analyzer analyzes generates findings for supported resources in the region it was enabled, with the exception of IAM resources which generates findings in each region (as IAM is a global service).

CloudFormationTerraformAWS CLI
Configure Account IAM Password Policy

Configuration to set an IAM password policy in an AWS account.

CloudFormationTerraformAWS CLI
IAM SAML Identity Provider

Configuration template to create an IAM Identity Provider (SAML) based on the provided XML Metadata document

CloudFormationTerraformAWS CLI
IAM Service-Linked Role for Auto Scaling

This template creates a service-linked role that can be assumed by the Auto Scaling service. The role is linked to the Auto Scaling service and has the specified description and custom suffix. This role helps ensure that the Auto Scaling service has the necessary permissions and stability to function properly.

CloudFormation
IAM Instance Profile

This template creates an IAM instance profile with the specified properties. The instance profile is associated with a role named 'Role' and has a path of '/'.

CloudFormation
Config Rule
IAM Password Policy Settings Check

Checks whether the account password policy for IAM users meets the specified requirements.

CloudFormationTerraformAWS CLI
Root Account MFA Enabled Check

Checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials.

CloudFormationTerraformAWS CLI
Empty IAM Groups Check

Checks whether IAM groups have at least one IAM user.

CloudFormationTerraformAWS CLI
All IAM Users Belong to IAM Groups Check

Checks whether IAM users are members of at least one IAM group.

CloudFormationTerraformAWS CLI
IAM Policies Not Attached to IAM Users Directly Check

Checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles.

CloudFormationTerraformAWS CLI
IAM Users MFA Enabled Check

A config rule that checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled.

CloudFormationTerraformAWS CLI
Required IAM Policies for IAM Roles Check

A config rule that checks that the AWS Identity and Access Management (IAM) role is attached to all AWS managed policies specified in the list of managed policies. The rule is NON_COMPLIANT if the IAM role is not attached to the IAM managed policy.

CloudFormationTerraformAWS CLI
Root Account Hardware MFA Check

A config rule that checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with root credentials. The rule is NON_COMPLIANT if any virtual MFA devices are permitted for signing in with root credentials.

CloudFormationTerraformAWS CLI
IAM Access Keys Rotated Check

A config rule that checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if the access keys have not been rotated for more than maxAccessKeyAge number of days.

CloudFormationTerraformAWS CLI
IAM Policies don't allow Admin Access Check

A config rule that checks whether the default version of AWS Identity and Access Management (IAM) policies do not have administrator access. If any statement has 'Effect': 'Allow' with 'Action': '*' over 'Resource': '*', the rule is NON_COMPLIANT.

CloudFormationTerraformAWS CLI
Root Access Keys Does Not Exist Check

A config rule that checks whether the root user access key is available. The rule is COMPLIANT if the user access key does not exist.

CloudFormationTerraformAWS CLI
IAM Users Unused Credentials Check

A config rule that checks whether your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided. Re-evaluating this rule within 4 hours of the first evaluation will have no effect on the results.

CloudFormationTerraformAWS CLI
Mfa Enabled for IAM Console Access

A Config rule that checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. The rule is COMPLIANT if MFA is enabled.

CloudFormationTerraformAWS CLI
IAM Blacklisted Policies Check

A Config rule that that none of your IAM users, groups, or roles (excluding exceptionList) have the specified policies attached

CloudFormationTerraformAWS CLI
No Inline IAM Policies Allowed Check

A config rule that checks that inline policy feature is not in use. The rule is NON_COMPLIANT if an AWS Identity and Access Management (IAM) user, IAM role or IAM group has any inline policy.

CloudFormationTerraformAWS CLI
Mandatory IAM Policy In Use Check

A config rule that checks whether the IAM policy ARN is attached to an IAM user, or an IAM group with one or more IAM users, or an IAM role with one or more trusted entity.

CloudFormationTerraformAWS CLI
IAM Customer Policy Blocked KMS Actions

Checks if the managed AWS Identity and Access Management (IAM) policies that you create do not allow blocked actions on AWS KMS) keys. The rule is NON_COMPLIANT if any blocked action is allowed on AWS KMS keys by the managed IAM policy.

CloudFormation
Block IAM Inline Policy KMS Actions

Checks if the inline policies attached to your IAM users, roles, and groups do not allow blocked actions on all AWS KMS keys. The rule is NON_COMPLIANT if any blocked action is allowed on all AWS KMS keys in an inline policy.

CloudFormation
IAM Policy No Statements With Full Access

Checks if AWS Identity and Access Management (IAM) policies that you create grant permissions to all actions on individual AWS resources. The rule is NON_COMPLIANT if any customer managed IAM policy allows full access to at least 1 AWS service.

CloudFormation
Service Control Policy
Restrict the Use of the Root User in an AWS Account

This SCP prevents restricts the root user in an AWS account from taking any action, either directly as a command or through the console.

CloudFormationTerraformAWS CLI
Prevent Creation of New IAM Users or Access Keys

This SCP restricts IAM principals from creating new IAM users or IAM Access Keys in an AWS account.

CloudFormationTerraformAWS CLI
Prevent Creation of New IAM Users or Access Keys with an Exception for an Administrator Role

This SCP restricts IAM principals from creating new IAM users or IAM Access Keys in an AWS account with an exception for a specified Administrator IAM role.

CloudFormationTerraformAWS CLI
Prevent Modification of IAM Password Policy with an Exception for an Administrator Role

This SCP restricts IAM principals from modifying existing IAM password policies in an AWS account with an exception for a specified Administrator IAM role.

CloudFormationTerraformAWS CLI
Prevent IAM Changes to a Specified IAM Role

This SCP restricts IAM principals in accounts from making changes to an IAM role created in an AWS account (This could be a common administrative IAM role created in all accounts in your organization).

CloudFormationTerraformAWS CLI
Prevent IAM Changes to a Specified IAM Role with the Exception of that Role

This SCP restricts IAM principals in accounts from making changes to an IAM role created in an AWS account except if the change was being done by that specified role(This could be a common administrative IAM role created in all accounts in your organization).

CloudFormationTerraformAWS CLI
Prevent Users from Disabling AWS Access Analyzer in an account

This SCP prevents users or roles in any affected account from deleting AWS Access Analyzer in an AWS account.

CloudFormationTerraformAWS CLI