Qodex.ai

AWS IAM & Organization Audit

Number of APIs: 12

Description

The collection makes use of REST API exposed by AWS IAM to fetch data related to IAM entities and their access to AWS resources.

The collection processes fetched data using “Pre-request & Test scripts” to detect nonalignment with the AWS IAM audit checklist.

The audit result is pushed to Slack for further actions for DevOps Team.

Environment Variables

Environment KeyValue
awsaccesskey_idRead: https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys
awssecretaccess_keyRead: https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys
slack_urlRead: https://api.slack.com/incoming-webhooks

IAM Audit Checklist ``` 1. Check if root user access keys are disabled.

  1. Check if the strong password policy is set for an AWS account.
    Minimum password length (10) Require at least one lowercase letter Require at least one number Require at least one non-alphanumeric character Allow users to change their own password Enable password expiration (365 days) Prevent password reuse (24)

  2. Identify IAM users(humans) whose active access keys are not being rotated for every 45 days.

  3. Identify if IAM users(bots) whose active access keys are not being rotated for every 180 days.

  4. Identify IAM users(humans) who are inactive for more than 180 days.

  5. Identify IAM users(bots) who are inactive for more than 180 days.

  6. Check if the MFA is enabled for IAM users(humans).

  7. Identify all the permissive policies attached to the roles. Permissive policies : where the value of “Principle” or Action is “ * ” (wildcard character).

  8. Identify unused and not recently used (not last accessed in 180 days) permissions provisioned via policies attached with IAM entity (user, group, role, or policy) using service Last Accessed Data. ```

  1. List Users GET {{baseUrl}}/?Action=ListUsers&Version=2010-05-08&MaxItems=1000

  2. List groups GET {{baseUrl}}/?Action=ListGroups&Version=2010-05-08&MaxItems=1000

  3. List Roles GET {{baseUrl}}/?Action=ListRoles&Version=2010-05-08&MaxItems=1000

  4. List Policies GET {{baseUrl}}/?Action=ListPolicies&Version=2010-05-08&MaxItems=1000&Scope=Local

  5. Generate Service Last Accessed Details GET {{baseUrl}}/?Action=GenerateServiceLastAccessedDetails&Version=2010-05-08&Arn={{iamEntityArn}}

  6. Get Service Last Accessed Details GET {{baseUrl}}/?Action=GetServiceLastAccessedDetails&JobId={{JobId}}&Version=2010-05-08

  7. Post to Slack POST {{slack_url}}

  8. Get account aliase GET {{baseUrl}}/?Action=ListAccountAliases&Version=2010-05-08

  9. Get Account Summary GET {{baseUrl}}/?Action=GetAccountSummary&Version=2010-05-08&MaxItems=1000

  10. Password Policy Check GET {{baseUrl}}/?Action=GetAccountPasswordPolicy&Version=2010-05-08