Qodex.ai

AWS IAM & Organization Audit

Number of APIs: 12

Description

The collection make use of REST API exposed by AWS IAM to fetch data related to IAM entities and their access to AWS resources.

The collection processes fetched data using “Pre-request & Post-requests Tests” to detect nonalignment with the AWS IAM audit checklist.

The audit result is pushed to Slack for further actions for DevOps Team.

Environment Variables

Environment KeyValue
awsaccesskey_idRead: https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys
awssecretaccess_keyRead: https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys
slack_urlRead: https://api.slack.com/incoming-webhooks

IAM Audit Checklist ``` 1. Check if root user access keys are disabled.

  1. Check if the strong password policy is set for an AWS account.
    Minimum password length (10) Require at least one lowercase letter Require at least one number Require at least one non-alphanumeric character Allow users to change their own password Enable password expiration (365 days) Prevent password reuse (24)

  2. Identify IAM users(humans) whose active access keys are not being rotated for every 45 days.

  3. Identify if IAM users(bots) whose active access keys are not being rotated for every 180 days.

  4. Identify IAM users(humans) who are inactive for more than 180 days.

  5. Identify IAM users(bots) who are inactive for more than 180 days.

  6. Check if the MFA is enabled for IAM users(humans).

  7. Identify all the permissive policies attached to the roles. Permissive policies : where the value of “Principle” or Action is “ * ” (wildcard character).

  8. Identify unused and not recently used (not last accessed in 180 days) permissions provisioned via policies attached with IAM entity (user, group, role, or policy) using service Last Accessed Data. ```

  1. Get account aliase GET https://iam.amazonaws.com/?Action=ListAccountAliases&Version=2010-05-08

  2. Get Account Summary GET https://iam.amazonaws.com/?Action=GetAccountSummary&Version=2010-05-08&MaxItems=1000

  3. Password Policy Check GET https://iam.amazonaws.com/?Action=GetAccountPasswordPolicy&Version=2010-05-08

  4. Generate IAM Credential Report GET https://iam.amazonaws.com/?Action=GenerateCredentialReport&Version=2010-05-08

  5. Analyse IAM Credential Report GET https://iam.amazonaws.com/?Action=GetCredentialReport&Version=2010-05-08

  6. List Users GET https://iam.amazonaws.com/?Action=ListUsers&Version=2010-05-08&MaxItems=1000

  7. List groups GET https://iam.amazonaws.com/?Action=ListGroups&Version=2010-05-08&MaxItems=1000

  8. List Policies GET https://iam.amazonaws.com/?Action=ListPolicies&Version=2010-05-08&MaxItems=1000&Scope=Local

  9. Generate Service Last Accessed Details GET https://iam.amazonaws.com/?Action=GenerateServiceLastAccessedDetails&Version=2010-05-08&Arn={{iamEntityArn}}

  10. Get Service Last Accessed Details GET https://iam.amazonaws.com/?Action=GetServiceLastAccessedDetails&JobId={{JobId}}&Version=2010-05-08