standard
turbot/aws_compliance
- Detect & correct accounts without alternate security contact
- Detect & correct accounts without metric filter for bucket policy changes
- Detect & correct accounts without metric filter for CloudTrail configuration
- Detect & correct accounts without metric filter for Config configuration
- Detect & correct accounts without metric filter for console authentication failure
- Detect & correct accounts without metric filter for console login MFA changes
- Detect & correct accounts without metric filter for disable or delete CMK
- Detect & correct accounts without metric filter for IAM policy changes
- Detect & correct accounts without metric filter for network ACL changes
- Detect & correct CloudWatch log groups without metric filter for network gateway changes
- Detect & correct CloudWatch log groups without metric filter for organization changes
- Detect & correct accounts without metric filter for root login
- Detect & correct accounts without metric filter for route table changes
- Detect & correct accounts without metric filter for security group changes
- Detect & correct accounts without metric filter for unauthorized API changes
- Detect & correct accounts without metric filter for VPC changes
- Detect & correct API Gateway rest API stages with x-ray tracing disabled
- Detect & correct CloudTrail trail logs not encrypted with KMS CMK
- Detect & correct CloudTrail trails with log file validation disabled
- Detect & correct CloudTrail trails with multi-region read/write disabled
- Detect & correct CloudTrail trails using public S3 bucket
- Detect & correct CloudTrail trails with S3 logging disabled
- Detect & correct CloudTrail trails with S3 object level logging for read events disabled
- Detect & correct CloudTrail trails with S3 object level logging for write events disabled
- Detect & correct Config disabled in regions
- Detect & correct DynamoDB table with deletion protection disabled
- Detect & correct DynamoDB table with point-in-time recovery disabled
- Detect & correct EBS encryption by default disabled in regions
- Detect & correct EBS snapshots when publicly restorable
- Detect & correct EC2 classic load balancers with connection draining disabled
- Detect & correct EC2 instances with IMDSv1 enabled
- Detect & correct EC2 instances with multiple ENIs
- Detect & correct EC2 instances with public access enabled
- Detect & correct EFS file systems with encryption at rest disabled
- Detect & correct regions with IAM Access Analyzer disabled
- Detect & correct IAM account password policies without maximum password age of 90 days
- Detect & correct IAM account password policies without minimum length of 14
- Detect & correct IAM account password policies without requirement for any lowercase letter
- Detect & correct IAM account password policies without requirement for any number
- Detect & correct IAM account password policies without requirement for any symbol
- Detect & correct IAM account password policies without requirement for any uppercase letter
- Detect & correct IAM account password policies without password reuse 24
- Detect & correct IAM accounts without support role
- Detect & correct IAM groups attached with *:* policy
- Detect & correct IAM groups with unrestricted CloudShellFullAccess policy
- Detect & correct IAM roles attached with *:* policy
- Detect & correct IAM roles with unrestricted CloudShellFullAccess policy
- Detect & correct IAM root users last used in 90 days or more
- Detect & correct IAM root users with access keys
- Detect & correct IAM root users with hardware MFA disabled
- Detect & correct IAM root users with MFA disabled
- Detect & correct expired IAM server certificates
- Detect & correct IAM users with unused access key from 90 days or more
- Detect & correct IAM users with access key created during initial user setup
- Detect & correct IAM users with console access MFA disabled
- Detect & correct IAM users with IAM policy attached
- Detect & correct IAM users with inline policy
- Detect & correct IAM users with more than one active key
- Detect & correct IAM users attached with *:* policy
- Detect & correct IAM users with unrestricted CloudShellFullAccess policy
- Detect & correct IAM users with unused access key from 45 days or more
- Detect & correct IAM users with unused access key from 90 days or more
- Detect & correct IAM users with unused login profile from 45 days or more
- Detect & correct IAM users with unused login profile from 90 days or more
- Detect & correct KMS keys with rotation disabled
- Detect & correct RDS DB instances with auto minor version upgrade disabled
- Detect & correct RDS DB instances with encryption at rest disabled
- Detect & correct RDS DB instances with Multi-AZ disabled
- Detect & correct RDS DB instances with public access enabled
- Detect & correct S3 buckets with block public access disabled
- Detect & correct S3 buckets with default encryption disabled
- Detect & correct S3 buckets with Macie disabled
- Detect & correct S3 buckets with MFA delete disabled
- Detect & correct S3 buckets without SSL enforcement
- Detect & correct Security Hub disabled in regions
- Detect & correct default VPC security groups allowing ingress egress
- Detect & correct VPC network ACLs allowing ingress to remote server administration ports
- Detect & correct VPC security groups allowing ingress to port 22
- Detect & correct VPC security groups allowing ingress to port 3389
- Detect & correct VPC security groups allowing ingress to port 445
- Detect & correct VPC security groups allowing ingress to remote server administration ports
- Detect & correct VPC security groups allowing ingress to remote server administration ports IPv4
- Detect & correct VPC security groups allowing ingress to remote server administration ports IPv6
- Detect & correct VPCs without flow logs
Get Involved
Version
Trigger: Detect & correct IAM users with more than one active key
Detects IAM users with more than one active key and then delete them.
Query
with users_active_key_count as ( select u.arn as user_arn, u.name as name, count(*) as num from aws_iam_user as u left join aws_iam_access_key as k on u.name = k.user_name and u.account_id = k.account_id where k.status = 'Active' group by u.arn, u.name),users_with_more_than_one_active_key as ( select user_arn, name, num from users_active_key_count where num > 1),ranked_keys as ( select k.access_key_id, k.user_name, k.create_date, k.access_key_last_used_date, account_id, row_number() over ( partition by k.user_name order by k.create_date asc ) as rnk, extract( day from (now() - k.create_date) ) as access_key_age, -- Age in days since creation case when k.access_key_last_used_date is not null then extract( day from (now() - k.access_key_last_used_date) ) :: text else 'not_used' end as access_key_last_used_in_days, -- Days since last used, or "not_used" case when k.access_key_last_used_date is not null then k.access_key_last_used_date :: text else 'not_used' end as access_key_last_used, -- Last used date, or "not_used" sp_connection_name as conn from aws_iam_access_key as k where k.user_name in ( select name from users_with_more_than_one_active_key ))select concat(rk1.user_name, ' [', rk1.account_id, ']') as title, rk1.user_name, rk1.account_id, rk1.access_key_id as access_key_id_1, rk1.access_key_last_used as access_key_1_last_used_date, (rk1.access_key_age) :: text as access_key_1_age, rk1.access_key_last_used_in_days as access_key_1_last_used_in_days, rk2.access_key_id as access_key_id_2, rk2.access_key_last_used as access_key_2_last_used_date, (rk2.access_key_age) :: text as access_key_2_age, rk2.access_key_last_used_in_days as access_key_2_last_used_in_days, rk1.account_id, rk1.connfrom ranked_keys rk1 left join ranked_keys rk2 on rk1.user_name = rk2.user_name and rk2.rnk = 2where rk1.rnk = 1order by rk1.user_name;
Schedule
15m
Tags
category = Compliance
mod = aws
service = AWS/IAM