ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-01-25 02:08:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(aws): enhance metadata for iam service (#9550)

Browse Source 
Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>
This commit is contained in:
Rubén De la Torre Vico
2026-01-13 11:06:09 +01:00
committed by GitHub
parent 17f5633a8d
commit 463fc32fca
44 changed files with 892 additions and 577 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
prowler/CHANGELOG.md
View File

@@ -46,6 +46,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
- Update AWS DataSync service metadata to new format [(#8854)](https://github.com/prowler-cloud/prowler/pull/8854)
- Update AWS RDS service metadata to new format [(#9551)](https://github.com/prowler-cloud/prowler/pull/9551)
- Update AWS Bedrock service metadata to new format [(#8827)](https://github.com/prowler-cloud/prowler/pull/8827)
- Update AWS IAM service metadata to new format [(#9550)](https://github.com/prowler-cloud/prowler/pull/9550)
---

35
prowler/providers/aws/services/iam/iam_administrator_access_with_mfa/iam_administrator_access_with_mfa.metadata.json
View File

@@ -1,32 +1,43 @@
{
"Provider": "aws",
"CheckID": "iam_administrator_access_with_mfa",
"CheckTitle": "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled",
"CheckTitle": "IAM group members granted AdministratorAccess have MFA enabled",
"CheckType": [
"Infrastructure Security"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
"TTPs/Initial Access",
"TTPs/Credential Access"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsIamUser",
"ResourceType": "AwsIamGroup",
"ResourceGroup": "IAM",
"Description": "Ensure users of groups with AdministratorAccess policy have MFA tokens enabled",
"Risk": "Policy may allow Anonymous users to perform actions.",
"Description": "**IAM groups** with the `AdministratorAccess` managed policy are assessed to ensure all member users have **active MFA**.\n\nThe finding highlights any administrator group that includes a user without MFA enrollment or activation.",
"Risk": "**Admin users without MFA** are vulnerable to single-factor compromise. Stolen or guessed credentials can yield full control, enabling privilege escalation, policy changes, data exfiltration, and destructive operations, impacting **confidentiality**, **integrity**, and **availability**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html",
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html",
"https://repost.aws/knowledge-center/mfa-iam-user-aws-cli"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"CLI": "aws iam detach-group-policy --group-name <IAM_GROUP_NAME> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess",
"NativeIaC": "```yaml\n# CloudFormation: ensure the IAM group does not have AdministratorAccess attached\nResources:\n <example_resource_name>:\n Type: AWS::IAM::Group\n Properties:\n GroupName: <example_resource_name>\n ManagedPolicyArns: [] # Critical: remove AdministratorAccess from this group to avoid admin rights without MFA\n```",
"Other": "1. In the AWS Console, go to IAM > User groups and open the group that has the AdministratorAccess policy.\n2. Note the users listed in the group. For each user, open IAM > Users > <user>.\n3. On the Security credentials tab, under Multi-factor authentication (MFA), select Assign MFA device.\n4. Choose Authenticator app (or a security key), follow the prompts, enter the two MFA codes, and click Add MFA.\n5. Repeat for all users in the group. Verify in IAM > Credential report that mfa_active is true for each user.",
"Terraform": ""
},
"Recommendation": {
"Text": "Ensure this repository and its contents should be publicly accessible.",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html"
"Text": "Enforce **MFA** for all administrator identities.\n- Add conditions (e.g., `aws:MultiFactorAuthPresent`) to privileged permissions\n- Prefer **hardware/FIDO2** devices\n- Apply **least privilege** and favor **roles/SSO** over users\n- Continuously monitor MFA status and remove unused admin access",
"Url": "https://hub.prowler.com/check/iam_administrator_access_with_mfa"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

28
prowler/providers/aws/services/iam/iam_avoid_root_usage/iam_avoid_root_usage.metadata.json
View File

@@ -1,34 +1,40 @@
{
"Provider": "aws",
"CheckID": "iam_avoid_root_usage",
"CheckTitle": "Avoid the use of the root accounts",
"CheckTitle": "AWS account root user has not been used in the last day",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsIamUser",
"ResourceGroup": "IAM",
"Description": "Avoid the use of the root account",
"Risk": "The root account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.",
"Description": "**AWS IAM root user** activity is assessed by inspecting `last-used` timestamps for the root password and access keys. The finding indicates when the root identity has been used recently for console or programmatic access.",
"Risk": "Recent **root usage** expands blast radius:\n- Data exfiltration (**confidentiality**)\n- Policy/key tampering (**integrity**)\n- Resource deletion and billing changes (**availability**)\nRoutine use reduces anomaly visibility and eases **account takeover** impact.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-best-practices.html",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/root-account-used-recently.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Other": "1. Sign in to the AWS Management Console as the root user\n2. In the top-right, click your account name > Security credentials\n3. Under Access keys for the root user, delete all existing keys\n4. Sign out of the root user and do not use it again\n5. Wait 24 hours (until the root user has not been accessed for a full day) for the check to pass",
"Terraform": ""
},
"Recommendation": {
"Text": "Follow the remediation instructions of the Ensure IAM policies are attached only to groups or roles recommendation.",
"Url": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
"Text": "Minimize `root` usage by applying **least privilege** with admin roles or federated SSO and temporary credentials.\n- Enforce **MFA** on root\n- Avoid or remove root access keys\n- Require multi-person approval\n- **Monitor and alert** on any root sign-in\n- Use org guardrails for **defense in depth**",
"Url": "https://hub.prowler.com/check/iam_avoid_root_usage"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

36
prowler/providers/aws/services/iam/iam_aws_attached_policy_no_administrative_privileges/iam_aws_attached_policy_no_administrative_privileges.metadata.json
View File

@@ -1,34 +1,42 @@
{
"Provider": "aws",
"CheckID": "iam_aws_attached_policy_no_administrative_privileges",
"CheckTitle": "Ensure IAM AWS-Managed policies that allow full \"*:*\" administrative privileges are not attached",
"CheckTitle": "Attached AWS-managed IAM policy does not allow '*:*' administrative privileges",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
"TTPs/Privilege Escalation"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"Severity": "high",
"ResourceIdTemplate": "",
"Severity": "critical",
"ResourceType": "AwsIamPolicy",
"ResourceGroup": "IAM",
"Description": "Ensure IAM AWS-Managed policies that allow full \"*:*\" administrative privileges are not attached",
"Risk": "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege—that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks instead of allowing full administrative privileges. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.",
"Description": "**IAM AWS-managed policies** attached to identities are inspected for statements that allow `Action:'*'` on `Resource:'*'`-i.e., full administrative `*:*` permissions",
"Risk": "**Unrestricted `*:*` access** enables any action on any resource, risking:\n- Data exfiltration (**confidentiality**)\n- Unauthorized changes and policy tampering (**integrity**)\n- Service deletion or shutdown (**availability**)\nAttackers can disable logging, create backdoor principals, and expand lateral movement.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html",
"https://support.icompaas.com/support/solutions/articles/62000233815-ensure-iam-roles-do-not-have-administratoraccess-policy-attached",
"http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "https://docs.prowler.com/checks/aws/iam-policies/iam_47",
"Terraform": "https://docs.prowler.com/checks/aws/iam-policies/iam_47#terraform"
"NativeIaC": "```yaml\n# CloudFormation: ensure no AWS-managed admin policy ('*:*') is attached\nResources:\n <example_resource_name>:\n Type: AWS::IAM::Role\n Properties:\n AssumeRolePolicyDocument:\n Version: '2012-10-17'\n Statement:\n - Effect: Allow\n Principal:\n Service: ec2.amazonaws.com\n Action: sts:AssumeRole\n ManagedPolicyArns: [] # FIX: empty list detaches/removes any attached AWS-managed admin policy (e.g., AdministratorAccess)\n```",
"Other": "1. In the AWS Console, go to IAM > Policies\n2. Search for the flagged AWS-managed policy (e.g., AdministratorAccess) and open it\n3. Click Attached entities\n4. Select all Users, Groups, and Roles shown and click Detach\n5. Confirm the policy shows 0 attached entities\n6. Rerun the check to verify it passes",
"Terraform": "```hcl\n# Replace full admin attachment with a non-admin policy (ensure AdministratorAccess is not attached)\nresource \"aws_iam_role_policy_attachment\" \"<example_resource_name>\" {\n role = \"<example_resource_name>\"\n policy_arn = \"arn:aws:iam::aws:policy/ReadOnlyAccess\" # FIX: avoids '*:*' admin privileges; replace AdministratorAccess\n}\n```"
},
"Recommendation": {
"Text": "It is more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. List policies an analyze if permissions are the least possible to conduct business activities.",
"Url": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
"Text": "Apply **least privilege**: avoid attaching AWS-managed policies that grant `*:*`.\n- Use **customer-managed, scoped policies** per role\n- Enforce **separation of duties** and **permissions boundaries**\n- Prefer **temporary, time-bound elevation** for emergencies with MFA\n- Regularly review access and use conditions to constrain context",
"Url": "https://hub.prowler.com/check/iam_aws_attached_policy_no_administrative_privileges"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "CAF Security Epic: IAM"

31
prowler/providers/aws/services/iam/iam_check_saml_providers_sts/iam_check_saml_providers_sts.metadata.json
View File

@@ -1,34 +1,37 @@
{
"Provider": "aws",
"CheckID": "iam_check_saml_providers_sts",
"CheckTitle": "Check if there are SAML Providers then STS can be used",
"CheckTitle": "IAM SAML provider exists in the account",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "low",
"ResourceType": "Other",
"ResourceGroup": "IAM",
"Description": "Check if there are SAML Providers then STS can be used",
"Risk": "Without SAML provider users with AWS CLI or AWS API access can use IAM static credentials. SAML helps users to assume role by default each time they authenticate.",
"Description": "**IAM SAML providers** enable **federated role assumption** via STS `AssumeRoleWithSAML`.\n\nThis evaluates whether such providers exist in the account.",
"Risk": "Without **SAML federation**, users rely on **long-lived IAM keys**. Compromised keys enable persistent API access, causing **data exfiltration (C)**, unauthorized resource or policy changes (**I**), and difficult revocation. Lack of IdP controls (e.g., **MFA**, session limits) weakens **accountability** and access governance.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws iam create-saml-provider --name <SAML_PROVIDER_NAME> --saml-metadata-document file://<SAML_METADATA_XML_FILE>",
"NativeIaC": "```yaml\n# CloudFormation: create an IAM SAML provider to satisfy the check\nResources:\n <example_resource_name>:\n Type: AWS::IAM::SAMLProvider\n Properties:\n SamlMetadataDocument: \"<SAML_METADATA_XML_CONTENT>\" # Critical: creates the SAML provider so the check passes\n Name: <example_resource_name>\n```",
"Other": "1. In the AWS console, go to IAM\n2. In the left menu, select Identity providers\n3. Click Add provider\n4. Set Provider type to SAML\n5. Upload the SAML metadata XML and enter a Provider name\n6. Click Add provider",
"Terraform": "```hcl\n# Create an IAM SAML provider to satisfy the check\nresource \"aws_iam_saml_provider\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n saml_metadata_document = file(\"<SAML_METADATA_XML_FILE>\") # Critical: creates the SAML provider so the check passes\n}\n```"
},
"Recommendation": {
"Text": "Enable SAML provider and use temporary credentials. You can use temporary security credentials to make programmatic requests for AWS resources using the AWS CLI or AWS API (using the AWS SDKs ). The temporary credentials provide the same permissions that you have with use long-term security credentials such as IAM user credentials. In case of not having SAML provider capabilities prevent usage of long-lived credentials.",
"Url": "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html"
"Text": "Adopt **SAML federation** to issue **short-lived STS credentials**. Map users to roles with **least privilege**, enforce **MFA** at the IdP, and set conservative session durations. Retire IAM user access keys for interactive use and monitor role sessions as **defense in depth**. *If federation isn't possible*, tightly scope, rotate, and audit keys.",
"Url": "https://hub.prowler.com/check/iam_check_saml_providers_sts"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

35
prowler/providers/aws/services/iam/iam_customer_attached_policy_no_administrative_privileges/iam_customer_attached_policy_no_administrative_privileges.metadata.json
View File

@@ -1,34 +1,41 @@
{
"Provider": "aws",
"CheckID": "iam_customer_attached_policy_no_administrative_privileges",
"CheckTitle": "Ensure IAM Customer-Managed policies that allow full \"*:*\" administrative privileges are not attached",
"CheckTitle": "Attached IAM customer-managed policy does not allow '*:*' administrative privileges",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
"TTPs/Privilege Escalation"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsIamPolicy",
"ResourceGroup": "IAM",
"Description": "Ensure IAM Customer-Managed policies that allow full \"*:*\" administrative privileges are not attached",
"Risk": "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege—that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks instead of allowing full administrative privileges. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.",
"Description": "Attached **customer-managed IAM policies** are evaluated for statements granting full admin access via `Action: \"*\"`, `Resource: \"*\"`, i.e., `*:*`. Only policies you created and attached to identities are considered.",
"Risk": "**Unrestricted admin access** lets any attached principal perform any action on any resource, enabling data exfiltration, policy tampering, credential creation, logging disablement, and destructive deletions-compromising **confidentiality, integrity, and availability** across the account.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/iam-policy-for-administration.html",
"http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "https://docs.prowler.com/checks/aws/iam-policies/iam_47",
"Terraform": "https://docs.prowler.com/checks/aws/iam-policies/iam_47#terraform"
"CLI": "aws iam create-policy-version --policy-arn <EXAMPLE_POLICY_ARN> --policy-document '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"iam:GetUser\",\"Resource\":\"*\"}]}' --set-as-default",
"NativeIaC": "```yaml\n# CloudFormation: Replace admin '*' access with a specific action\nResources:\n <example_resource_name>:\n Type: AWS::IAM::ManagedPolicy\n Properties:\n PolicyDocument:\n Version: \"2012-10-17\"\n Statement:\n - Effect: Allow\n Action: iam:GetUser # CRITICAL: removes '*:*' by allowing only a specific action\n Resource: \"*\" # CRITICAL: no full admin since Action is not '*'\n```",
"Other": "1. In the AWS Console, go to IAM > Policies and open the customer managed policy from the finding\n2. Select the Policy versions tab and click Create version\n3. Replace the JSON with:\n {\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"iam:GetUser\",\"Resource\":\"*\"}]}\n4. Check Set as default version and click Create version\n5. Confirm the policy no longer contains an Allow with Action \"*\" (or \"*:*\") over Resource \"*\"",
"Terraform": "```hcl\n# Terraform: Managed policy without '*:*' admin privileges\nresource \"aws_iam_policy\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [{\n Effect = \"Allow\"\n Action = \"iam:GetUser\" # CRITICAL: not \"*\" or \"*:*\"; removes admin privileges\n Resource = \"*\" # CRITICAL: paired with specific action to avoid full admin\n }]\n })\n}\n```"
},
"Recommendation": {
"Text": "It is more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. List policies an analyze if permissions are the least possible to conduct business activities.",
"Url": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
"Text": "Enforce **least privilege**: replace wildcards with specific actions, scope `Resource` to needed ARNs, and add restrictive `Condition`s. Prefer role-based access and separation of duties. Use **permissions boundaries** and organization guardrails, and regularly review policies with policy validation and Access Analyzer.",
"Url": "https://hub.prowler.com/check/iam_customer_attached_policy_no_administrative_privileges"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "CAF Security Epic: IAM"

37
prowler/providers/aws/services/iam/iam_customer_unattached_policy_no_administrative_privileges/iam_customer_unattached_policy_no_administrative_privileges.metadata.json
View File

@@ -1,34 +1,41 @@
{
"Provider": "aws",
"CheckID": "iam_customer_unattached_policy_no_administrative_privileges",
"CheckTitle": "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created",
"CheckTitle": "Unattached customer managed IAM policy does not allow '*:*' administrative privileges",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
"TTPs/Privilege Escalation"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"Severity": "low",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsIamPolicy",
"ResourceGroup": "IAM",
"Description": "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created, may be eventual consistent if an ephemeral resource is using it",
"Risk": "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege—that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks instead of allowing full administrative privileges. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.",
"Description": "**Customer-managed IAM policies** that are **unattached** are evaluated for statements granting **full administrative access** using `*:*` wildcards.\n\nThe focus is on policies whose documents include unrestricted actions on all resources.",
"Risk": "An unattached policy with `*:*` can be attached accidentally or maliciously, granting account-wide control. Attackers could read sensitive data (**confidentiality**), alter or delete resources (**integrity**), and disrupt services (**availability**), enabling rapid **privilege escalation** and lateral movement.",
"RelatedUrl": "",
"AdditionalURLs": [
"http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/iam-policy-for-administration.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "https://docs.prowler.com/checks/aws/iam-policies/iam_47",
"Terraform": "https://docs.prowler.com/checks/aws/iam-policies/iam_47#terraform"
"CLI": "aws iam create-policy-version --policy-arn <example_resource_arn> --set-as-default --policy-document '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"iam:GetAccountSummary\",\"Resource\":\"*\"}]}'",
"NativeIaC": "```yaml\n# CloudFormation: managed policy without administrative '*:*' privileges\nResources:\n <example_resource_name>:\n Type: AWS::IAM::ManagedPolicy\n Properties:\n PolicyDocument:\n Version: '2012-10-17'\n Statement:\n - Effect: Allow\n Action: iam:GetAccountSummary # Critical: use a specific action instead of '*'\n Resource: \"*\" # Critical: combined with specific action, avoids '*:*'\n```",
"Other": "1. In the AWS Console, go to IAM > Policies\n2. Find the unattached customer managed policy and choose it\n3. Click Edit policy > JSON\n4. Remove any statement that allows Action \"*\" on Resource \"*\", or replace it with a specific action (e.g., \"iam:GetAccountSummary\")\n5. Save changes",
"Terraform": "```hcl\n# IAM policy without '*:*' administrative privileges\nresource \"aws_iam_policy\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [\n {\n Effect = \"Allow\"\n Action = \"iam:GetAccountSummary\" # Critical: specific action, not '*'\n Resource = \"*\" # Critical: avoids '*:*' admin privileges\n }\n ]\n })\n}\n```"
},
"Recommendation": {
"Text": "It is more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. List policies an analyze if permissions are the least possible to conduct business activities.",
"Url": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
"Text": "Remove or redesign these policies to enforce **least privilege**:\n- Avoid `*` in actions/resources; scope precisely and use conditions\n- Apply **permissions boundaries** and **SCPs** as guardrails\n- Require peer review and policy validation before attachment\n- Use analysis tools to refine permissions and delete unused policies",
"Url": "https://hub.prowler.com/check/iam_customer_unattached_policy_no_administrative_privileges"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "CAF Security Epic: IAM"

36
prowler/providers/aws/services/iam/iam_group_administrator_access_policy/iam_group_administrator_access_policy.metadata.json
View File

@@ -1,30 +1,42 @@
{
"Provider": "aws",
"CheckID": "iam_group_administrator_access_policy",
"CheckTitle": "Ensure No IAM Groups Have Administrator Access Policy",
"CheckType": [],
"CheckTitle": "IAM group does not have AdministratorAccess policy attached",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"TTPs/Privilege Escalation"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsIamGroup",
"ResourceGroup": "IAM",
"Description": "This check ensures that no IAM groups in your AWS account have the 'AdministratorAccess' policy attached. IAM users with this policy have unrestricted access to all AWS services and resources, which poses a significant security risk if misused.",
"Risk": "IAM groups with administrator-level permissions can perform any action on any resource in your AWS environment. If these permissions are granted to users unnecessarily or to individuals without sufficient knowledge, it can lead to security vulnerabilities, data leaks, data loss, or unexpected charges.",
"RelatedUrl": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage.html",
"Description": "**IAM groups** are assessed for the AWS-managed `AdministratorAccess` policy attachment.\n\nThe finding reports any group that has this policy among its attached permissions.",
"Risk": "Group-wide `AdministratorAccess` gives all members unrestricted control. A stolen or misused account can:\n- Read/exfiltrate sensitive data (C)\n- Modify or delete resources and configs (I/A)\n- Disable logging and weaken defenses, enabling persistence and lateral movement",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage.html",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/group-with-privileged-access.html",
"https://support.icompaas.com/support/solutions/articles/62000233798-ensure-no-iam-groups-have-administrator-access-policy",
"https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
],
"Remediation": {
"Code": {
"CLI": "aws iam detach-group-policy --group-name <groupname> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/group-with-privileged-access.html",
"Terraform": ""
"NativeIaC": "```yaml\n# CloudFormation: IAM group without AdministratorAccess attached\nResources:\n <example_resource_name>:\n Type: AWS::IAM::Group\n Properties:\n GroupName: <example_resource_name>\n ManagedPolicyArns: [] # Critical: empty list ensures AdministratorAccess is NOT attached to the group\n```",
"Other": "1. In the AWS Console, go to IAM > User groups\n2. Select the target group (<groupname>)\n3. Open the Permissions tab > Attached policies\n4. Select the policy AdministratorAccess and click Detach\n5. Confirm to remove the policy",
"Terraform": "```hcl\n# IAM group with no AdministratorAccess attachment\nresource \"aws_iam_group\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n # Critical: do NOT create any aws_iam_group_policy_attachment with\n # policy_arn = \"arn:aws:iam::aws:policy/AdministratorAccess\" for this group\n}\n```"
},
"Recommendation": {
"Text": "Replace the 'AdministratorAccess' policy with more specific permissions that follow the Principle of Least Privilege. Consider implementing IAM roles such as 'IAM Master' and 'IAM Manager' to manage permissions more securely.",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
"Text": "Remove `AdministratorAccess` from groups. Apply **least privilege** with task-scoped, customer-managed policies and **separation of duties**. Use roles for admin tasks with MFA, time-bound elevation, and auditing. Regularly review group membership and permissions; prefer **defense-in-depth** guardrails.",
"Url": "https://hub.prowler.com/check/iam_group_administrator_access_policy"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

33
prowler/providers/aws/services/iam/iam_inline_policy_allows_privilege_escalation/iam_inline_policy_allows_privilege_escalation.metadata.json
View File

@@ -1,33 +1,42 @@
{
"Provider": "aws",
"CheckID": "iam_inline_policy_allows_privilege_escalation",
"CheckTitle": "Ensure no IAM Inline policies allow actions that may lead into Privilege Escalation",
"CheckTitle": "IAM inline policy does not allow privilege escalation",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"TTPs/Privilege Escalation"
],
"ServiceName": "iam",
"SubServiceName": "inline_policy",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsIamPolicy",
"ResourceGroup": "IAM",
"Description": "Ensure no Inline IAM policies allow actions that may lead into Privilege Escalation",
"Risk": "Users with some IAM permissions are allowed to elevate their privileges up to administrator rights.",
"Description": "**IAM inline policies** are evaluated for permission combinations that enable **privilege escalation**, such as `sts:AssumeRole`, `iam:PassRole`, attaching/editing policies, or broad wildcards. The result highlights inline policies that allow a principal to obtain higher effective access.",
"Risk": "Excessive inline policy permissions let identities escalate to admin, compromising CIA:\n- Confidentiality: read secrets and data\n- Integrity: alter policies, code, and configs\n- Availability: delete or stop resources, disable logging\nAttackers can persist by creating keys/users or assuming powerful roles.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege",
"https://bishopfox.com/blog/privilege-escalation-in-aws",
"https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py",
"https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/",
"https://labs.reversec.com/posts/2025/08/another-ecs-privilege-escalation-path"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"NativeIaC": "```yaml\n# CloudFormation: Replace the risky inline policy with least-privilege actions\nResources:\n <example_resource_name>:\n Type: AWS::IAM::UserPolicy\n Properties:\n UserName: <example_resource_name>\n PolicyName: <example_resource_name>\n PolicyDocument:\n Version: '2012-10-17'\n Statement:\n - Effect: Allow\n Action: ec2:DescribeInstances # FIX: allow only non-privilege-escalation action; remove IAM/STS privilege-escalation actions\n Resource: \"*\" # FIX: no risky wildcard admin actions; this read-only action is safe\n```",
"Other": "1. In the AWS Console, go to IAM > Users/Roles/Groups and select the entity with the failing inline policy\n2. In the Permissions tab, under Inline policies, choose the flagged policy and click Edit\n3. Remove privilege-escalation actions (e.g., iam:CreatePolicyVersion, iam:AttachUserPolicy, iam:PassRole, sts:AssumeRole, iam:UpdateAssumeRolePolicy)\n4. Keep only the minimum required, non-escalating permissions (for example, read-only actions)\n5. Save changes",
"Terraform": "```hcl\n# Terraform: Replace the risky inline policy with least-privilege actions\nresource \"aws_iam_user_policy\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n user = \"<example_resource_name>\"\n\n policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [{\n Effect = \"Allow\"\n Action = \"ec2:DescribeInstances\" # FIX: only non-privilege-escalation action; remove IAM/STS escalation actions\n Resource = \"*\" # FIX: safe read-only scope\n }]\n })\n}\n```"
},
"Recommendation": {
"Text": "Grant usage permission on a per-resource basis and applying least privilege principle.",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege"
"Text": "Apply **least privilege** and remove escalation paths:\n- Avoid wildcards and sensitive actions like `sts:AssumeRole`, `iam:PassRole`, or policy modification without tight scope\n- Restrict by resource and `Condition`\n- Prefer managed, versioned policies; use permissions boundaries/SCPs\n- Require reviews and MFA for admins",
"Url": "https://hub.prowler.com/check/iam_inline_policy_allows_privilege_escalation"
}
},
"Categories": [
"identity-access",
"privilege-escalation"
],
"DependsOn": [],

35
prowler/providers/aws/services/iam/iam_inline_policy_no_administrative_privileges/iam_inline_policy_no_administrative_privileges.metadata.json
View File

@@ -1,34 +1,41 @@
{
"Provider": "aws",
"CheckID": "iam_inline_policy_no_administrative_privileges",
"CheckTitle": "Ensure IAM inline policies that allow full \"*:*\" administrative privileges are not associated to IAM identities",
"CheckTitle": "Inline IAM policy does not allow '*:*' administrative privileges",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
"TTPs/Privilege Escalation"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"Severity": "high",
"ResourceIdTemplate": "",
"Severity": "critical",
"ResourceType": "AwsIamPolicy",
"ResourceGroup": "IAM",
"Description": "Ensure inline policies that allow full \"*:*\" administrative privileges are not associated to IAM identities",
"Risk": "IAM policies are the means by which privileges are granted to users, groups or roles. It is recommended and considered a standard security advice to grant least privilege—that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks instead of allowing full administrative privileges. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.",
"Description": "**IAM inline policies** on identities are evaluated for statements allowing `Action:\"*\"` on `Resource:\"*\"`, which indicates **unrestricted administrative access**.",
"Risk": "Granting `*:*` to an identity collapses **least privilege**, enabling total control over AWS. A compromised principal can exfiltrate data (**confidentiality**), alter configs or disable logging (**integrity**), and delete resources or keys (**availability**), enabling rapid **lateral movement** and persistent takeover.",
"RelatedUrl": "",
"AdditionalURLs": [
"http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html",
"https://support.icompaas.com/support/solutions/articles/62000233799-ensure-iam-inline-policies-that-allow-full-administrative-privileges-are-not-associated-to-iam-id"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "https://docs.prowler.com/checks/aws/iam-policies/iam_47",
"Terraform": "https://docs.prowler.com/checks/aws/iam-policies/iam_47#terraform"
"NativeIaC": "```yaml\n# CloudFormation: Inline policy without '*:*' privileges\nResources:\n <example_resource_name>Policy:\n Type: AWS::IAM::Policy\n Properties:\n PolicyName: leastpriv\n PolicyDocument:\n Version: '2012-10-17'\n Statement:\n - Effect: Allow\n Action: s3:ListBucket # Critical: specific action, not \"*\"\n Resource: arn:aws:s3:::<example_resource_name> # Critical: specific resource, not \"*\"\n Roles:\n - <example_resource_name>\n```",
"Other": "1. In the AWS Console, open IAM\n2. Go to Users, Roles, or Groups (whichever has the inline policy)\n3. Select the entity, then open the Inline policies section\n4. Edit the inline policy JSON and remove any statement with \"Effect\": \"Allow\" and both \"Action\": \"*\" and \"Resource\": \"*\"\n5. Replace it with only the specific actions and specific resource ARNs required\n6. Save changes",
"Terraform": "```hcl\n# Terraform: Inline role policy without '*:*' privileges\nresource \"aws_iam_role_policy\" \"<example_resource_name>\" {\n name = \"leastpriv\"\n role = \"<example_resource_name>\"\n\n policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [{\n Effect = \"Allow\"\n Action = \"s3:ListBucket\" # Critical: specific action, not \"*\"\n Resource = \"arn:aws:s3:::<example_resource_name>\" # Critical: specific resource, not \"*\"\n }]\n })\n}\n```"
},
"Recommendation": {
"Text": "It is more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. List policies an analyze if permissions are the least possible to conduct business activities.",
"Url": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
"Text": "Remove `Action:\"*\"` with `Resource:\"*\"` from inline policies. Apply **least privilege** with granular actions scoped to specific resources and conditions. Prefer versioned customer-managed policies over broad inline ones, enforce **separation of duties**, and use **permissions boundaries** or guardrails to prevent accidental admin grants.",
"Url": "https://hub.prowler.com/check/iam_inline_policy_no_administrative_privileges"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "CAF Security Epic: IAM"

36
prowler/providers/aws/services/iam/iam_inline_policy_no_full_access_to_cloudtrail/iam_inline_policy_no_full_access_to_cloudtrail.metadata.json
View File

@@ -1,34 +1,40 @@
{
"Provider": "aws",
"CheckID": "iam_inline_policy_no_full_access_to_cloudtrail",
"CheckTitle": "Ensure IAM inline policies that allow full \"cloudtrail:*\" privileges are not created",
"CheckTitle": "Inline IAM policy does not allow 'cloudtrail:*' privileges",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
"TTPs/Defense Evasion"
],
"ServiceName": "iam",
"SubServiceName": "inline_policies",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"Severity": "medium",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsIamPolicy",
"ResourceGroup": "IAM",
"Description": "Ensure IAM inline policies that allow full \"cloudtrail:*\" privileges are not created",
"Risk": "CloudTrail is a critical service and IAM policies should follow least privilege model for this service in particular",
"Description": "**IAM inline policies** are evaluated for statements that grant **full CloudTrail permissions** (`cloudtrail:*`) to all resources.\n\nThe finding flags identity policies that provide unrestricted control over CloudTrail operations.",
"Risk": "Full CloudTrail access allows stopping trails, modifying configurations, or deleting audit data, compromising log **integrity** and **availability**. It also exposes event data, impacting **confidentiality**. Adversaries could hide activity, evade detection, and obstruct investigations.",
"RelatedUrl": "",
"AdditionalURLs": [
"http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html",
"https://support.icompaas.com/support/solutions/articles/62000233808-ensure-iam-policies-that-allow-full-cloudtrail-privileges-are-not-created"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"NativeIaC": "```yaml\n# CloudFormation: restrict CloudTrail permissions in inline policy\nResources:\n <example_resource_name>InlinePolicy:\n Type: AWS::IAM::Policy\n Properties:\n PolicyName: <example_resource_name>-policy\n PolicyDocument:\n Version: '2012-10-17'\n Statement:\n - Effect: Allow\n Action:\n - cloudtrail:DescribeTrails # Critical: use specific action(s) instead of 'cloudtrail:*' to avoid full service access\n Resource: \"*\"\n Roles:\n - <example_resource_name>\n```",
"Other": "1. Open the IAM console and go to Users, Roles, or Groups\n2. Select the entity with the failing inline policy\n3. In Permissions, expand Inline policies and open the policy\n4. Click Edit policy and switch to the JSON editor\n5. Replace any \"Action\": \"cloudtrail:*\" with only required CloudTrail actions (e.g., \"cloudtrail:DescribeTrails\"), or remove that statement if not needed\n6. Save changes",
"Terraform": "```hcl\nresource \"aws_iam_role_policy\" \"<example_resource_name>\" {\n name = \"<example_resource_name>-policy\"\n role = \"<example_resource_name>\"\n\n policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [{\n Effect = \"Allow\"\n Action = [\"cloudtrail:DescribeTrails\"] # Critical: replace 'cloudtrail:*' with specific action(s) to remove full service access\n Resource = \"*\"\n }]\n })\n}\n```"
},
"Recommendation": {
"Text": "It is more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. List policies an analyze if permissions are the least possible to conduct business activities.",
"Url": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
"Text": "Enforce **least privilege** and **separation of duties**: avoid `cloudtrail:*`; grant only specific actions needed (prefer read-only where possible). Add guardrails or boundaries to block destructive actions. Use managed, centrally governed policies and periodically right-size permissions based on usage.",
"Url": "https://hub.prowler.com/check/iam_inline_policy_no_full_access_to_cloudtrail"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

33
prowler/providers/aws/services/iam/iam_inline_policy_no_full_access_to_kms/iam_inline_policy_no_full_access_to_kms.metadata.json
View File

@@ -1,32 +1,41 @@
{
"Provider": "aws",
"CheckID": "iam_inline_policy_no_full_access_to_kms",
"CheckTitle": "Ensure IAM inline policies that allow full \"kms:*\" privileges are not created",
"CheckTitle": "Inline IAM policy does not allow kms:* privileges",
"CheckType": [
"Software and Configuration Checks"
"Software and Configuration Checks/AWS Security Best Practices",
"Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"TTPs/Privilege Escalation",
"Effects/Data Exposure"
],
"ServiceName": "iam",
"SubServiceName": "inline_policy",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsIamPolicy",
"ResourceGroup": "IAM",
"Description": "Ensure IAM inline policies that allow full \"kms:*\" privileges are not created",
"Risk": "KMS is a critical service and IAM policies should follow least privilege model for this service in particular",
"Description": "**IAM inline policies** are analyzed to identify statements that grant **unrestricted AWS KMS access** via the wildcard action `kms:*`.",
"Risk": "Granting `kms:*` enables decryption of protected data, modification of key policies and grants, and disabling or deleting keys.\n\nImpacts:\n- **Confidentiality** via unauthorized decryption\n- **Integrity** through key/grant tampering\n- **Availability** if keys are disabled or deleted, breaking encrypted workloads",
"RelatedUrl": "",
"AdditionalURLs": [
"http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html",
"https://support.icompaas.com/support/solutions/articles/62000233801-ensure-iam-inline-policies-that-allow-full-kms-privileges-are-not-created"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"NativeIaC": "```yaml\n# CloudFormation: Inline IAM policy without kms:* full access\nResources:\n <example_resource_name>:\n Type: AWS::IAM::User\n Properties:\n Policies:\n - PolicyName: <example_resource_name>-policy\n PolicyDocument:\n Version: '2012-10-17'\n Statement:\n - Effect: Allow\n Action:\n - kms:Encrypt # CRITICAL: replace 'kms:*' with only required KMS action(s) to remove full access\n Resource: \"*\"\n```",
"Other": "1. In the AWS Console, open IAM and go to Users, Roles, or Groups (where the inline policy is attached)\n2. Select the entity, go to the Permissions tab, and open the inline policy that allows KMS\n3. Click Edit policy and switch to the JSON editor\n4. Replace any \"Action\": \"kms:*\" with only the specific KMS action(s) required (e.g., \"kms:Encrypt\")\n5. Save changes",
"Terraform": "```hcl\n# Inline IAM policy without kms:* full access\nresource \"aws_iam_user_policy\" \"<example_resource_name>\" {\n name = \"<example_resource_name>-policy\"\n user = \"<example_resource_name>\"\n\n policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [{\n Effect = \"Allow\"\n Action = [\n \"kms:Encrypt\" # CRITICAL: replace 'kms:*' with specific action(s) to remove full access\n ]\n Resource = \"*\"\n }]\n })\n}\n```"
},
"Recommendation": {
"Text": "It is more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. List policies an analyze if permissions are the least possible to conduct business activities.",
"Url": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
"Text": "Replace `kms:*` with **least-privilege**, action-scoped permissions limited to required operations and specific key ARNs. Enforce **separation of duties** for key admins vs users. Prefer **managed policies** over inline and apply guardrails (permissions boundaries/SCPs). Add conditions to constrain service, region, and encryption context.",
"Url": "https://hub.prowler.com/check/iam_inline_policy_no_full_access_to_kms"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

35
prowler/providers/aws/services/iam/iam_no_custom_policy_permissive_role_assumption/iam_no_custom_policy_permissive_role_assumption.metadata.json
View File

@@ -1,32 +1,41 @@
{
"Provider": "aws",
"CheckID": "iam_no_custom_policy_permissive_role_assumption",
"CheckTitle": "Ensure that no custom IAM policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)",
"CheckTitle": "Custom IAM policy does not allow STS role assumption on wildcard resources",
"CheckType": [
"Software and Configuration Checks"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"TTPs/Privilege Escalation",
"TTPs/Lateral Movement"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsIamPolicy",
"ResourceGroup": "IAM",
"Description": "Ensure that no custom IAM policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)",
"Risk": "If not restricted unintended access could happen.",
"RelatedUrl": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy",
"Description": "**Custom IAM policies** with `Allow` statements that grant `sts:AssumeRole` (or `sts:*`/`*`) to a wildcard `Resource`.",
"Risk": "Broad `AssumeRole` rights let principals obtain **temporary credentials** for many roles, enabling **privilege escalation**, **lateral movement**, and **cross-account access** where trusts allow. This jeopardizes **confidentiality** and **integrity** of data and the control plane.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html",
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws iam create-policy-version --policy-arn <example_policy_arn> --policy-document '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"sts:AssumeRole\",\"Resource\":\"arn:aws:iam::<example_account_id>:role/<example_resource_name>\"}]}' --set-as-default",
"NativeIaC": "```yaml\n# CloudFormation: Replace wildcard resource with a specific role ARN\nResources:\n <example_resource_name>:\n Type: AWS::IAM::ManagedPolicy\n Properties:\n PolicyDocument:\n Version: '2012-10-17'\n Statement:\n - Effect: Allow\n Action: sts:AssumeRole\n Resource: arn:aws:iam::<example_account_id>:role/<example_resource_name> # CRITICAL: restrict to a specific role ARN to remove wildcard\n```",
"Other": "1. Open the AWS Console and go to IAM > Policies\n2. Select the custom policy that FAILED and click Edit policy (JSON)\n3. Find any statement with Effect: Allow and Action including sts:AssumeRole (or sts:* or *) where Resource is \"*\"\n4. Change Resource to the specific role ARN(s), e.g.: arn:aws:iam::<example_account_id>:role/<example_resource_name>\n5. Save changes to create the new default version",
"Terraform": "```hcl\n# Terraform: Replace wildcard resource with a specific role ARN\nresource \"aws_iam_policy\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [{\n Effect = \"Allow\"\n Action = \"sts:AssumeRole\"\n Resource = \"arn:aws:iam::<example_account_id>:role/<example_resource_name>\" // CRITICAL: restrict to a specific role ARN to remove wildcard\n }]\n })\n}\n```"
},
"Recommendation": {
"Text": "Use the least privilege principle when granting permissions.",
"Url": "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"
"Text": "Apply **least privilege** to `sts:AssumeRole`:\n- Scope `Resource` to exact role ARNs\n- Require **MFA** and, for third parties, `ExternalId`\n- Enforce **permissions boundaries** and **SCPs** to block wildcards\n- Regularly remove unused role-assumption rights and **separate duties**",
"Url": "https://hub.prowler.com/check/iam_no_custom_policy_permissive_role_assumption"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "CAF Security Epic: IAM"

30
prowler/providers/aws/services/iam/iam_no_expired_server_certificates_stored/iam_no_expired_server_certificates_stored.metadata.json
View File

@@ -1,31 +1,35 @@
{
"Provider": "aws",
"CheckID": "iam_no_expired_server_certificates_stored",
"CheckTitle": "Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed.",
"CheckTitle": "IAM server certificate is not expired",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"Severity": "critical",
"ResourceType": "Other",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsCertificateManagerCertificate",
"ResourceGroup": "IAM",
"Description": "Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed.",
"Risk": "Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB.",
"Description": "IAM server certificates stored in **AWS IAM** are evaluated for **expiration** by comparing their validity period to the current time. Certificates with a `NotAfter` date in the past are identified as expired.",
"Risk": "Retaining **expired TLS certificates** risks **availability** loss from failed handshakes and browser warnings, eroding trust.\n\nIf attached to endpoints, users may bypass warnings, weakening **confidentiality** and **integrity**. Stale certs also hinder **secure rotation** and may be picked by automation, causing outages.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/expired-ssl-tls-certificate.html"
],
"Remediation": {
"Code": {
"CLI": "aws iam delete-server-certificate --server-certificate-name <CERTIFICATE_NAME",
"CLI": "aws iam delete-server-certificate --server-certificate-name <CERTIFICATE_NAME>",
"NativeIaC": "",
"Other": "Removing expired certificates via AWS Management Console is not currently supported.",
"Other": "1. Deleting IAM server certificates is not supported in the AWS Management Console.\n2. Use the CLI to remove the expired certificate: aws iam delete-server-certificate --server-certificate-name <CERTIFICATE_NAME>",
"Terraform": ""
},
"Recommendation": {
"Text": "Deleting the certificate could have implications for your application if you are using an expired server certificate with Elastic Load Balancing, CloudFront, etc. One has to make configurations at respective services to ensure there is no interruption in application functionality.",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html"
"Text": "Remove **expired certificates** from IAM and ensure endpoints use current, trusted TLS.\n\nPrefer **AWS Certificate Manager** for issuance and auto-renewal, enforce **lifecycle management** with inventory, tagging, and alerts, and apply **least privilege** to certificate access with standardized rotation policies.",
"Url": "https://hub.prowler.com/check/iam_no_expired_server_certificates_stored"
}
},
"Categories": [

30
prowler/providers/aws/services/iam/iam_no_root_access_key/iam_no_root_access_key.metadata.json
View File

@@ -1,34 +1,42 @@
{
"Provider": "aws",
"CheckID": "iam_no_root_access_key",
"CheckTitle": "Ensure no root account access key exists",
"CheckTitle": "Root account has no active access keys",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
"TTPs/Credential Access"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "critical",
"ResourceType": "AwsIamAccessKey",
"ResourceGroup": "IAM",
"Description": "Ensure no root account access key exists",
"Risk": "The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. Removing access keys associated with the root account limits vectors by which the account can be compromised. Removing the root access keys encourages the creation and use of role based accounts that are least privileged.",
"Description": "**AWS root user** is evaluated for **active access keys**. It identifies whether the root identity has one or two programmatic credentials and notes when organization-level root credential management is present.",
"Risk": "**Root access keys** provide unrestricted API access. If exposed or misused, attackers can:\n- Turn off logging and alter policies (**integrity**)\n- Read or export data (**confidentiality**)\n- Delete resources and lock out admins (**availability**)\nLong-lived keys can persist and may bypass console-only MFA.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html",
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/root-account-access-keys-present.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Other": "1. Sign in to the AWS Management Console as the root user\n2. Open My Security Credentials (account menu) or go to https://console.aws.amazon.com/iam/home?#/security_credentials\n3. Expand Access keys\n4. For each key with Status \"Active\", choose Delete and confirm\n5. Verify no Active keys remain for the root user",
"Terraform": ""
},
"Recommendation": {
"Text": "Use the credential report to check the user and ensure the access_key_1_active and access_key_2_active fields are set to FALSE. If using AWS Organizations, consider enabling Centralized Root Management and removing individual root credentials.",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html"
"Text": "Delete and prohibit **root access keys**. Use **IAM roles** and temporary credentials with **least privilege** for all automation. Enable **MFA on root**, limit root to break-glass use, and continuously monitor for any new root keys. *Where applicable*, apply organization-wide controls to enforce this.",
"Url": "https://hub.prowler.com/check/iam_no_root_access_key"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

33
prowler/providers/aws/services/iam/iam_password_policy_expires_passwords_within_90_days_or_less/iam_password_policy_expires_passwords_within_90_days_or_less.metadata.json
View File

@@ -1,34 +1,37 @@
{
"Provider": "aws",
"CheckID": "iam_password_policy_expires_passwords_within_90_days_or_less",
"CheckTitle": "Ensure IAM password policy expires passwords within 90 days or less",
"CheckTitle": "IAM account password policy enforces password expiration within 90 days or less",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Other",
"ResourceType": "AwsIamPolicy",
"ResourceGroup": "IAM",
"Description": "Ensure IAM password policy expires passwords within 90 days or less",
"Risk": "Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.",
"Description": "**IAM account password policy** sets a **password expiration period** for IAM user console logins; configuration is aligned when rotation is enabled and set to `<= 90` days.",
"Risk": "Without rotation, stale passwords persist, enabling **credential stuffing**, **brute force**, and **password reuse** attacks. A compromised IAM user can retain console access, enabling **data exfiltration**, privilege escalation, and loss of **confidentiality** and **integrity**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws iam update-account-password-policy --max-password-age 90",
"NativeIaC": "```yaml\n# CloudFormation: Set IAM account password policy to expire passwords within 90 days\nResources:\n ExampleAccountPasswordPolicy:\n Type: AWS::IAM::AccountPasswordPolicy\n Properties:\n MaxPasswordAge: 90 # Critical: enforces password expiration in 90 days or less to pass the check\n```",
"Other": "1. In the AWS Console, go to IAM\n2. Select Account settings\n3. In Password policy, click Edit\n4. Check Enable password expiration and set Password expiration period (days) to 90 or less\n5. Click Save changes",
"Terraform": "```hcl\n# Enforce IAM password expiration within 90 days\nresource \"aws_iam_account_password_policy\" \"example\" {\n max_password_age = 90 # Critical: enforces password expiration <= 90 days to pass the check\n}\n```"
},
"Recommendation": {
"Text": "Ensure Password expiration period (in days): is set to 90 or less.",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html"
"Text": "Enforce **password rotation** at `<= 90` days and **prevent reuse**. Pair with **MFA**, strong length/complexity, and prefer **federation/SSO** to reduce static passwords. Apply **least privilege**, monitor sign-ins, and remove inactive console passwords to limit exposure.",
"Url": "https://hub.prowler.com/check/iam_password_policy_expires_passwords_within_90_days_or_less"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

36
prowler/providers/aws/services/iam/iam_password_policy_lowercase/iam_password_policy_lowercase.metadata.json
View File

@@ -1,34 +1,38 @@
{
"Provider": "aws",
"CheckID": "iam_password_policy_lowercase",
"CheckTitle": "Ensure IAM password policy require at least one lowercase letter",
"CheckTitle": "IAM password policy requires at least one lowercase letter",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"Severity": "medium",
"ResourceType": "Other",
"ResourceIdTemplate": "",
"Severity": "low",
"ResourceType": "AwsIamPolicy",
"ResourceGroup": "IAM",
"Description": "Ensure IAM password policy requires at least one uppercase letter",
"Risk": "Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter.",
"Description": "**IAM password policy** requires at least one **lowercase** character in user passwords via the `Require lowercase` setting",
"Risk": "Without a lowercase requirement, passwords have reduced entropy, making **brute force** and **password spraying** more effective. Compromised IAM users can enable unauthorized access and changes, risking **confidentiality**, **integrity**, and **availability** of AWS resources.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws iam update-account-password-policy --require-lowercase-characters",
"NativeIaC": "```yaml\nResources:\n <example_resource_name>:\n Type: AWS::IAM::AccountPasswordPolicy\n Properties:\n RequireLowercaseCharacters: true # Critical: Enforces at least one lowercase letter in passwords\n```",
"Other": "1. In the AWS Console, open IAM\n2. Go to Account settings\n3. In Password policy, click Edit\n4. Check \"Require at least one lowercase letter (a-z)\"\n5. Click Save changes",
"Terraform": "```hcl\nresource \"aws_iam_account_password_policy\" \"<example_resource_name>\" {\n require_lowercase_characters = true # Critical: Enforces at least one lowercase letter in passwords\n}\n```"
},
"Recommendation": {
"Text": "Ensure \"Requires at least one lowercase letter\" is checked under \"Password Policy\".",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html"
"Text": "Adopt a strong password policy that:\n- Enables `Require at least one lowercase letter` plus uppercase, number, and symbol\n- Sets sufficient length and blocks reuse\n- Requires **MFA** for all users\n- Applies **least privilege** to limit blast radius",
"Url": "https://hub.prowler.com/check/iam_password_policy_lowercase"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

36
prowler/providers/aws/services/iam/iam_password_policy_minimum_length_14/iam_password_policy_minimum_length_14.metadata.json
View File

@@ -1,34 +1,40 @@
{
"Provider": "aws",
"CheckID": "iam_password_policy_minimum_length_14",
"CheckTitle": "Ensure IAM password policy requires minimum length of 14 or greater",
"CheckTitle": "IAM password policy requires passwords to be at least 14 characters long",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Other",
"ResourceType": "AwsIamPolicy",
"ResourceGroup": "IAM",
"Description": "Ensure IAM password policy requires minimum length of 14 or greater",
"Risk": "Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require minimum length of 14 or greater.",
"Description": "**IAM password policy** is assessed for the **minimum password length** setting, confirming it meets `>= 14` characters for IAM console users.",
"Risk": "Low minimum length reduces entropy, easing **brute force** and **credential stuffing**. Compromised IAM users enable console access, unauthorized changes, and lateral movement, leading to data exposure (confidentiality) and tampering (integrity).",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/config/latest/developerguide/iam-password-policy.html",
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html",
"https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/IAM/Resource.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws iam update-account-password-policy --minimum-password-length 14",
"NativeIaC": "```yaml\nResources:\n <example_resource_name>:\n Type: AWS::IAM::AccountPasswordPolicy\n Properties:\n MinimumPasswordLength: 14 # Critical: sets minimum password length to 14 to pass the check\n```",
"Other": "1. Sign in to the AWS Console and open IAM\n2. Go to Account settings > Password policy and click Edit\n3. Set Enforce minimum password length to 14\n4. Click Save changes (and confirm Set custom if prompted)",
"Terraform": "```hcl\nresource \"aws_iam_account_password_policy\" \"<example_resource_name>\" {\n minimum_password_length = 14 # Critical: enforces minimum password length >=14\n}\n```"
},
"Recommendation": {
"Text": "Ensure \"Minimum password length\" is checked under \"Password Policy\".",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html"
"Text": "Set the **minimum password length** to `>= 14` (prefer `16+`).\n- Require mixed character types and prevent reuse\n- Enforce **MFA** for all console users\n- Prefer SSO over local IAM users\n- Apply least privilege and monitor authentication events",
"Url": "https://hub.prowler.com/check/iam_password_policy_minimum_length_14"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

35
prowler/providers/aws/services/iam/iam_password_policy_number/iam_password_policy_number.metadata.json
View File

@@ -1,34 +1,39 @@
{
"Provider": "aws",
"CheckID": "iam_password_policy_number",
"CheckTitle": "Ensure IAM password policy require at least one number",
"CheckTitle": "IAM password policy requires at least one number",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Other",
"ResourceType": "AwsIamPolicy",
"ResourceGroup": "IAM",
"Description": "Ensure IAM password policy require at least one number",
"Risk": "Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one number.",
"Description": "**IAM account password policy** requires at least one **numeric character** (`0-9`) in IAM user passwords",
"Risk": "Passwords without numbers have lower entropy, making **brute-force** and **credential-stuffing** more effective. A compromised IAM user can gain console access, enabling data exposure (**confidentiality**), configuration changes (**integrity**), and resource abuse or deletion (**availability**).",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws iam update-account-password-policy --require-numbers",
"NativeIaC": "```yaml\n# CloudFormation: Enforce at least one number in IAM user passwords\nResources:\n <example_resource_name>:\n Type: AWS::IAM::AccountPasswordPolicy\n Properties:\n RequireNumbers: true # Critical: requires at least one number in passwords\n```",
"Other": "1. Open the AWS Management Console and go to IAM\n2. In the left menu, click Account settings\n3. In Password policy, click Edit\n4. Check Require at least one number\n5. Click Save changes and confirm Set custom",
"Terraform": "```hcl\n# Enforce at least one number in IAM user passwords\nresource \"aws_iam_account_password_policy\" \"<example_resource_name>\" {\n require_numbers = true # Critical: requires at least one number in passwords\n}\n```"
},
"Recommendation": {
"Text": "Ensure \"Require at least one number\" is checked under \"Password Policy\".",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html"
"Text": "Enforce the password policy option to `require at least one number`. Combine with strong length, mixed case, and symbols, and prevent reuse. Enable **MFA** for all users and prefer **federated access** to limit static credentials, supporting **defense in depth** against guessing attacks.",
"Url": "https://hub.prowler.com/check/iam_password_policy_number"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

35
prowler/providers/aws/services/iam/iam_password_policy_reuse_24/iam_password_policy_reuse_24.metadata.json
View File

@@ -1,34 +1,39 @@
{
"Provider": "aws",
"CheckID": "iam_password_policy_reuse_24",
"CheckTitle": "Ensure IAM password policy prevents password reuse: 24 or greater",
"CheckTitle": "IAM password policy prevents reuse of the last 24 passwords",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Other",
"ResourceType": "AwsIamPolicy",
"ResourceGroup": "IAM",
"Description": "Ensure IAM password policy prevents password reuse: 24 or greater",
"Risk": "Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy prevents at least password reuse of 24 or greater.",
"Description": "**IAM account password policy** uses **password reuse prevention** set to `24` remembered passwords (maximum history) for IAM users",
"Risk": "If fewer than `24` passwords are remembered, users can cycle back to recent secrets, undermining rotation. Attackers with previously exposed passwords can regain console access after a change, reducing **confidentiality** and **integrity** and increasing success of credential-stuffing with known credentials.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws iam update-account-password-policy --password-reuse-prevention 24",
"NativeIaC": "```yaml\nResources:\n <example_resource_name>:\n Type: AWS::IAM::AccountPasswordPolicy\n Properties:\n PasswordReusePrevention: 24 # Critical: prevents reuse of the last 24 passwords\n```",
"Other": "1. Open the AWS Management Console and go to IAM\n2. In the left menu, select Account settings\n3. In Password policy, click Edit\n4. Select Custom (if not already)\n5. Set Prevent password reuse to 24\n6. Click Save changes",
"Terraform": "```hcl\nresource \"aws_iam_account_password_policy\" \"<example_resource_name>\" {\n password_reuse_prevention = 24 # Critical: require last 24 passwords cannot be reused\n}\n```"
},
"Recommendation": {
"Text": "Ensure \"Number of passwords to remember\" is set to 24.",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html"
"Text": "Set the password policy to remember `24` previous passwords to block reuse. Combine with **MFA**, strong length and complexity, and avoid rotation practices that encourage predictable patterns. Apply **least privilege** and monitor authentication events as part of **defense in depth**.",
"Url": "https://hub.prowler.com/check/iam_password_policy_reuse_24"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

36
prowler/providers/aws/services/iam/iam_password_policy_symbol/iam_password_policy_symbol.metadata.json
View File

@@ -1,34 +1,40 @@
{
"Provider": "aws",
"CheckID": "iam_password_policy_symbol",
"CheckTitle": "Ensure IAM password policy require at least one symbol",
"CheckTitle": "IAM password policy requires at least one symbol",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
"TTPs/Credential Access"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Other",
"ResourceType": "AwsIamPolicy",
"ResourceGroup": "IAM",
"Description": "Ensure IAM password policy require at least one symbol",
"Risk": "Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one non-alphanumeric character.",
"Description": "**IAM account password policy** includes the `Require at least one non-alphanumeric character` rule for IAM user passwords",
"Risk": "Missing a **symbol requirement** lowers password entropy, increasing success of **brute force** and **credential stuffing** against console logins. A compromised IAM user can gain unauthorized access and modify resources, threatening **confidentiality** and **integrity** across the account.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws iam update-account-password-policy --require-symbols",
"NativeIaC": "```yaml\nResources:\n <example_resource_name>:\n Type: AWS::IAM::AccountPasswordPolicy\n Properties:\n RequireSymbols: true # Critical: requires at least one symbol in passwords\n```",
"Other": "1. In the AWS console, open IAM\n2. Go to Account settings\n3. Click Edit in the Password policy section\n4. Check \"Require at least one non-alphanumeric character (symbol)\"\n5. Click Save changes",
"Terraform": "```hcl\nresource \"aws_iam_account_password_policy\" \"<example_resource_name>\" {\n require_symbols = true # Critical: require at least one symbol in passwords\n}\n```"
},
"Recommendation": {
"Text": "Ensure \"Require at least one non-alphanumeric character\" is checked under \"Password Policy\".",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html"
"Text": "Enforce the `Require at least one non-alphanumeric character` rule in the **IAM password policy**, alongside strong minimum length, mixed character sets, and password reuse prevention. Apply **MFA** for all human users and uphold **least privilege** to limit impact. *Consider periodic rotation based on risk.*",
"Url": "https://hub.prowler.com/check/iam_password_policy_symbol"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

37
prowler/providers/aws/services/iam/iam_password_policy_uppercase/iam_password_policy_uppercase.metadata.json
View File

@@ -1,34 +1,41 @@
{
"Provider": "aws",
"CheckID": "iam_password_policy_uppercase",
"CheckTitle": "Ensure IAM password policy requires at least one uppercase letter",
"CheckTitle": "IAM password policy requires at least one uppercase letter",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)",
"Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Other",
"ResourceType": "AwsIamPolicy",
"ResourceGroup": "IAM",
"Description": "Ensure IAM password policy requires at least one uppercase letter",
"Risk": "Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter.",
"Description": "**IAM account password policy** enforces the presence of **at least one uppercase letter** (`A-Z`) in IAM user passwords.\n\n*This evaluates whether the uppercase complexity rule is enabled for console passwords.*",
"Risk": "Without an uppercase requirement, passwords have lower entropy, enabling **brute force**, **credential stuffing**, and **offline cracking**. Compromised IAM users can access the console, threatening **confidentiality** (data exposure), **integrity** (unauthorized changes), and **availability** (resource deletion).",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws iam update-account-password-policy --require-uppercase-characters",
"NativeIaC": "```yaml\nResources:\n <example_resource_name>:\n Type: AWS::IAM::AccountPasswordPolicy\n Properties:\n RequireUppercaseCharacters: true # Critical: enforce at least one uppercase letter\n```",
"Other": "1. In the AWS Console, go to IAM\n2. Open Account settings > Password policy > Edit\n3. Check \"Require at least one uppercase letter (A-Z)\"\n4. Click Save changes",
"Terraform": "```hcl\nresource \"aws_iam_account_password_policy\" \"<example_resource_name>\" {\n require_uppercase_characters = true # Critical: enforce at least one uppercase letter\n}\n```"
},
"Recommendation": {
"Text": "Ensure \"Requires at least one uppercase letter\" is checked under \"Password Policy\".",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html"
"Text": "Enable the uppercase rule within a **strong password policy** that also requires length, lowercase, numbers, and symbols. Pair with **MFA** and **least privilege** to reduce blast radius. Regularly review policy effectiveness and prefer **federated SSO** to minimize long-lived IAM passwords.",
"Url": "https://hub.prowler.com/check/iam_password_policy_uppercase"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

36
prowler/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation.metadata.json
View File

@@ -1,35 +1,43 @@
{
"Provider": "aws",
"CheckID": "iam_policy_allows_privilege_escalation",
"CheckTitle": "Ensure no Customer Managed IAM policies allow actions that may lead into Privilege Escalation",
"CheckTitle": "Customer managed IAM policy does not allow actions that can lead to privilege escalation",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
"TTPs/Privilege Escalation"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsIamPolicy",
"ResourceGroup": "IAM",
"Description": "Ensure no Customer Managed IAM policies allow actions that may lead into Privilege Escalation",
"Risk": "Users with some IAM permissions are allowed to elevate their privileges up to administrator rights.",
"Description": "**Customer-managed IAM policies** are evaluated for **permissions that enable privilege escalation**, including creating or updating policies, altering role trust, attaching higher-privilege policies, or using `iam:PassRole` to obtain broader access.",
"Risk": "**Privilege-escalation permissions** let principals assume higher-privilege roles or attach admin policies, impacting:\n- **Confidentiality** via unauthorized data access/exfiltration\n- **Integrity** by modifying policies, configs, or logs\n- **Availability** through resource deletion or disabling controls",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege",
"https://bishopfox.com/blog/privilege-escalation-in-aws",
"https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py",
"https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/",
"https://labs.reversec.com/posts/2025/08/another-ecs-privilege-escalation-path"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws iam create-policy-version --policy-arn <example_resource_id> --set-as-default --policy-document '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Action\":\"*\",\"Resource\":\"*\"}]}'",
"NativeIaC": "```yaml\nResources:\n <example_resource_name>:\n Type: AWS::IAM::ManagedPolicy\n Properties:\n PolicyDocument:\n Version: '2012-10-17'\n Statement:\n - Effect: Deny # Critical: Denies all actions so the policy cannot allow privilege escalation\n Action: \"*\"\n Resource: \"*\"\n```",
"Other": "1. In the AWS Console, go to IAM > Policies\n2. Open the customer managed policy showing FAIL\n3. Click Edit policy > JSON\n4. Remove any Allow statements that enable privilege-escalation actions (for example broad wildcards like \"iam:*\" or actions such as creating/updating/attaching policies, PassRole, or AssumeRole on wildcards)\n5. Save changes so the policy no longer allows those actions\n6. Re-run the check to confirm it passes",
"Terraform": "```hcl\nresource \"aws_iam_policy\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n # Critical: Deny all actions so the policy cannot allow privilege escalation\n policy = jsonencode({\n Version = \"2012-10-17\",\n Statement = [{\n Effect = \"Deny\",\n Action = \"*\",\n Resource = \"*\"\n }]\n })\n}\n```"
},
"Recommendation": {
"Text": "Grant usage permission on a per-resource basis and applying least privilege principle.",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege"
"Text": "Apply **least privilege** to customer policies:\n- Avoid wildcards in `Action` and `Resource`\n- Remove or tightly scope `iam:PassRole`, policy attach/update, and trust-policy changes\n- Use conditions like `iam:PassedToService` and tags to constrain use\n- Enforce **permissions boundaries** and **SCPs**\n- Separate duties with change review",
"Url": "https://hub.prowler.com/check/iam_policy_allows_privilege_escalation"
}
},
"Categories": [
"privilege-escalation"
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],

32
prowler/providers/aws/services/iam/iam_policy_attached_only_to_group_or_roles/iam_policy_attached_only_to_group_or_roles.metadata.json
View File

@@ -1,34 +1,40 @@
{
"Provider": "aws",
"CheckID": "iam_policy_attached_only_to_group_or_roles",
"CheckTitle": "Ensure IAM policies are attached only to groups or roles",
"CheckTitle": "IAM user has no inline or attached policies",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "low",
"ResourceType": "AwsIamPolicy",
"ResourceType": "AwsIamUser",
"ResourceGroup": "IAM",
"Description": "Ensure IAM policies are attached only to groups or roles",
"Risk": "By default IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.",
"Description": "**IAM users** have identity-based policies attached directly (managed or inline) instead of inheriting permissions via **groups** or **roles**.",
"Risk": "Directly attached user policies hinder centralized control and cause privilege creep. If a user is compromised, excessive rights enable data exposure, resource tampering, and lateral movement, harming **confidentiality** and **integrity**. Revocation is error-prone, weakening **separation of duties** and auditability.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html",
"https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"NativeIaC": "```yaml\n# CloudFormation: ensure IAM user has no policies\nResources:\n <example_resource_name>:\n Type: AWS::IAM::User\n Properties:\n UserName: <example_resource_name>\n ManagedPolicyArns: [] # CRITICAL: empty list detaches all managed (attached) policies\n Policies: [] # CRITICAL: empty list removes all inline policies\n```",
"Other": "1. In AWS Console, go to IAM > Users and select the target user\n2. Open the Permissions tab\n3. Under Permissions policies, remove each attached policy\n4. Under Inline policies, delete each inline policy\n5. Confirm changes; the user should show no inline or attached policies",
"Terraform": ""
},
"Recommendation": {
"Text": "Remove any policy attached directly to the user. Use groups or roles instead.",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
"Text": "Assign permissions to **groups** (humans) and **roles** (workloads); avoid user-attached policies. Enforce **least privilege**, prefer federation and temporary credentials, and use tags or **permissions boundaries** to constrain scope. Review regularly to remove direct user policies and right-size access.",
"Url": "https://hub.prowler.com/check/iam_policy_attached_only_to_group_or_roles"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "CAF Security Epic: IAM"

33
prowler/providers/aws/services/iam/iam_policy_cloudshell_admin_not_attached/iam_policy_cloudshell_admin_not_attached.metadata.json
View File

@@ -1,33 +1,40 @@
{
"Provider": "aws",
"CheckID": "iam_policy_cloudshell_admin_not_attached",
"CheckTitle": "Check if IAM identities (users,groups,roles) have the AWSCloudShellFullAccess policy attached.",
"CheckTitle": "No IAM users, groups, or roles have the AWSCloudShellFullAccess policy attached",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices/CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:iam::{account-id}:{resource-type}/{resource-id}",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsIamPolicy",
"ResourceGroup": "IAM",
"Description": "This control checks whether an IAM identity (user, role, or group) has the AWS managed policy AWSCloudShellFullAccess attached. The control fails if an IAM identity has the AWSCloudShellFullAccess policy attached.",
"Risk": "Attaching the AWSCloudShellFullAccess policy to IAM identities grants broad permissions, including internet access and file transfer capabilities, which can lead to security risks such as data exfiltration. The principle of least privilege should be followed to avoid excessive permissions.",
"RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/iam-policy-blacklisted-check.html",
"Description": "**IAM identities** with the AWS managed policy `AWSCloudShellFullAccess` attached are identified across users, groups, and roles.\n\nThis indicates principals are granted `cloudshell:*` on `*`, enabling full CloudShell features, including environment startup and file transfer.",
"Risk": "Granting `cloudshell:*` enables an interactive shell with Internet egress and file upload/download, degrading **confidentiality** and **integrity**.\n\nCompromised principals can exfiltrate data, stage tooling with sudo, persist artifacts in CloudShell, and operate from AWS IP space to bypass endpoint controls.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html#iam-27",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/unapproved-iam-policy-in-use.html",
"https://docs.aws.amazon.com/config/latest/developerguide/iam-policy-blacklisted-check.html",
"https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html",
"https://icompaas.freshdesk.com/support/solutions/articles/62000233099-1-22-restrict-access-to-awscloudshellfullaccess-manual-"
],
"Remediation": {
"Code": {
"CLI": "aws iam detach-user/role/group-policy --user/role/group-name <user/role/group-name> --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html#iam-27",
"Terraform": ""
"CLI": "",
"NativeIaC": "```yaml\n# CloudFormation: ensure AWSCloudShellFullAccess is NOT attached to the IAM user\nResources:\n <example_resource_name>:\n Type: AWS::IAM::User\n Properties:\n ManagedPolicyArns: [] # Critical: empty list ensures AWSCloudShellFullAccess is not attached\n```",
"Other": "1. In the AWS console, go to IAM > Policies\n2. Search for AWSCloudShellFullAccess and open it\n3. Select the Entities attached tab\n4. Select all Users, Groups, and Roles listed\n5. Click Detach and confirm",
"Terraform": "```hcl\n# Terraform: ensure AWSCloudShellFullAccess is NOT attached\nresource \"aws_iam_user_policy_attachment\" \"<example_resource_name>\" {\n count = 0 # Critical: prevents creation, ensuring the policy is detached/not attached\n user = \"<example_resource_name>\"\n policy_arn = \"arn:aws:iam::aws:policy/AWSCloudShellFullAccess\" # Denied policy\n}\n```"
},
"Recommendation": {
"Text": "Detach the AWSCloudShellFullAccess policy from the IAM identity to restrict excessive permissions and adhere to the principle of least privilege.",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html"
"Text": "Detach `AWSCloudShellFullAccess` from identities.\n\nApply **least privilege**: permit CloudShell only when necessary via narrowly scoped permissions, restricted roles, short-lived sessions, and approvals. Prefer controlled alternatives (local CLI, bastion, or Session Manager). Enforce **separation of duties** and monitor usage.",
"Url": "https://hub.prowler.com/check/iam_policy_cloudshell_admin_not_attached"
}
},
"Categories": [
"trust-boundaries"
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],

35
prowler/providers/aws/services/iam/iam_policy_no_full_access_to_cloudtrail/iam_policy_no_full_access_to_cloudtrail.metadata.json
View File

@@ -1,34 +1,41 @@
{
"Provider": "aws",
"CheckID": "iam_policy_no_full_access_to_cloudtrail",
"CheckTitle": "Ensure IAM policies that allow full \"cloudtrail:*\" privileges are not created",
"CheckTitle": "Customer managed IAM policy does not allow cloudtrail:* privileges",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
"TTPs/Defense Evasion"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsIamPolicy",
"ResourceGroup": "IAM",
"Description": "Ensure IAM policies that allow full \"cloudtrail:*\" privileges are not created",
"Risk": "CloudTrail is a critical service and IAM policies should follow least privilege model for this service in particular",
"Description": "Custom IAM policies are reviewed for statements that grant **full CloudTrail access** via the `cloudtrail:*` wildcard, indicating unrestricted permission to all CloudTrail actions.",
"Risk": "Unrestricted CloudTrail control lets principals stop or alter logging, delete or modify trails, and query events.\n\nThis enables log evasion, audit tampering, and reconnaissance, undermining the **integrity**, **availability**, and **confidentiality** of audit evidence and detection.",
"RelatedUrl": "",
"AdditionalURLs": [
"http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html",
"https://support.icompaas.com/support/solutions/articles/62000233808-ensure-iam-policies-that-allow-full-cloudtrail-privileges-are-not-created"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws iam create-policy-version --policy-arn <example_policy_arn> --policy-document '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"cloudtrail:DescribeTrails\",\"Resource\":\"*\"}]}' --set-as-default",
"NativeIaC": "```yaml\n# CloudFormation managed policy without CloudTrail wildcard access\nResources:\n <example_resource_name>:\n Type: AWS::IAM::ManagedPolicy\n Properties:\n PolicyDocument:\n Version: '2012-10-17'\n Statement:\n - Effect: Allow\n Action: cloudtrail:DescribeTrails # Critical: replaces 'cloudtrail:*' with a specific action to remove full access\n Resource: \"*\"\n```",
"Other": "1. In the AWS Console, go to IAM > Policies\n2. Open the custom managed policy that contains Action: \"cloudtrail:*\"\n3. Click Edit JSON\n4. Replace \"cloudtrail:*\" with only the specific CloudTrail actions needed (e.g., \"cloudtrail:DescribeTrails\" or \"cloudtrail:LookupEvents\"), or remove CloudTrail actions entirely\n5. Save changes to create/set the new default policy version\n6. Verify the policy no longer contains \"cloudtrail:*\"",
"Terraform": "```hcl\n# IAM policy without CloudTrail wildcard access\nresource \"aws_iam_policy\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [{\n Effect = \"Allow\"\n Action = \"cloudtrail:DescribeTrails\" # Critical: replaces 'cloudtrail:*' with a specific action, removing full access\n Resource = \"*\"\n }]\n })\n}\n```"
},
"Recommendation": {
"Text": "It is more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. List policies an analyze if permissions are the least possible to conduct business activities.",
"Url": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
"Text": "Apply **least privilege**: avoid `cloudtrail:*` and allow only required actions.\n\nEnforce **separation of duties** for trail management. Use **permissions boundaries** or **SCPs** to block broad CloudTrail access, and validate policies regularly to refine scopes.",
"Url": "https://hub.prowler.com/check/iam_policy_no_full_access_to_cloudtrail"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

37
prowler/providers/aws/services/iam/iam_policy_no_full_access_to_kms/iam_policy_no_full_access_to_kms.metadata.json
View File

@@ -1,34 +1,43 @@
{
"Provider": "aws",
"CheckID": "iam_policy_no_full_access_to_kms",
"CheckTitle": "Ensure IAM policies that allow full \"kms:*\" privileges are not created",
"CheckTitle": "Custom IAM policy does not allow 'kms:*' privileges",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
"Effects/Data Exposure",
"Effects/Data Destruction",
"TTPs/Privilege Escalation"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsIamPolicy",
"ResourceGroup": "IAM",
"Description": "Ensure IAM policies that allow full \"kms:*\" privileges are not created",
"Risk": "KMS is a critical service and IAM policies should follow least privilege model for this service in particular",
"Description": "**Customer-managed IAM policies** are examined for statements that grant **AWS KMS** full access using `kms:*`. The focus is on policies allowing service-wide actions rather than narrowly scoped, key-specific permissions.",
"Risk": "Allowing `kms:*` lets principals decrypt data, change key policies, and disable or delete keys. Impact: **Confidentiality**-unauthorized decryption; **Integrity**-manipulation of cryptographic controls; **Availability**-data unreadable if keys are disabled/deleted. It can also enable privilege escalation.",
"RelatedUrl": "",
"AdditionalURLs": [
"http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html",
"https://docs.aws.amazon.com/it_it/prescriptive-guidance/latest/encryption-best-practices/kms.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws iam create-policy-version --policy-arn <POLICY_ARN> --policy-document '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"kms:Encrypt\"],\"Resource\":\"arn:aws:kms:<REGION>:<ACCOUNT_ID>:key/<KEY_ID>\"}]}' --set-as-default",
"NativeIaC": "```yaml\n# CloudFormation: customer managed policy without kms:* full access\nResources:\n <example_resource_name>:\n Type: AWS::IAM::ManagedPolicy\n Properties:\n PolicyDocument:\n Version: '2012-10-17'\n Statement:\n - Effect: Allow\n Action:\n - kms:Encrypt # FIX: remove 'kms:*'; allow only specific KMS action\n Resource: arn:aws:kms:<REGION>:<ACCOUNT_ID>:key/<example_resource_id> # FIX: scope to a specific key\n```",
"Other": "1. In the AWS Console, open IAM > Policies\n2. Find the custom policy that allows kms:* and choose Edit policy > JSON\n3. Replace any \"Action\": \"kms:*\" (or [\"kms:*\"]) with only required actions (e.g., [\"kms:Encrypt\"]) and, if possible, set \"Resource\" to a specific key ARN\n4. Save changes (a new default policy version is created)\n5. Re-run the check to confirm it passes",
"Terraform": "```hcl\n# Customer managed policy without kms:* full access\nresource \"aws_iam_policy\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [{\n Effect = \"Allow\"\n Action = [\"kms:Encrypt\"] # FIX: remove 'kms:*'; allow only specific KMS action\n Resource = \"arn:aws:kms:<REGION>:<ACCOUNT_ID>:key/<example_resource_id>\" # FIX: scope to a specific key\n }]\n })\n}\n```"
},
"Recommendation": {
"Text": "It is more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. List policies an analyze if permissions are the least possible to conduct business activities.",
"Url": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
"Text": "Adopt **least privilege** and **separation of duties**:\n- Replace `kms:*` with only needed actions scoped to specific key ARNs\n- Apply policy conditions (e.g., `kms:ViaService`) and guardrails (permissions boundaries/SCPs)\n- Monitor KMS usage and refine access based on activity",
"Url": "https://hub.prowler.com/check/iam_policy_no_full_access_to_kms"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

34
prowler/providers/aws/services/iam/iam_role_administratoraccess_policy/iam_role_administratoraccess_policy.metadata.json
View File

@@ -1,31 +1,39 @@
{
"Provider": "aws",
"CheckID": "iam_role_administratoraccess_policy",
"CheckTitle": "Ensure IAM Roles do not have AdministratorAccess policy attached",
"CheckType": [],
"CheckTitle": "IAM role does not have AdministratorAccess policy attached",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsIamRole",
"ResourceGroup": "IAM",
"Description": "Ensure IAM Roles do not have AdministratorAccess policy attached",
"Risk": "The AWS-managed AdministratorAccess policy grants all actions for all AWS services and for all resources in the account and as such exposes the customer to a significant data leakage threat. It should be granted very conservatively. For granting access to 3rd party vendors, consider using alternative managed policies, such as ViewOnlyAccess or SecurityAudit.",
"RelatedUrl": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator",
"Description": "**IAM roles** (excluding service roles) are evaluated for attachment of the AWS-managed `AdministratorAccess` policy.\n\nAttachment indicates the role holds unrestricted permissions across services and resources.",
"Risk": "Granting full administrative permissions on a role undermines confidentiality, integrity, and availability. If the role is assumed or its credentials are stolen, an attacker can read sensitive data, change policies, disable auditing, delete resources and backups, and create new privileged identities, enabling swift account takeover.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator",
"https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws iam detach-role-policy --role-name <ROLE_NAME> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess",
"NativeIaC": "```yaml\n# CloudFormation: IAM Role without AdministratorAccess\nResources:\n <example_resource_name>:\n Type: AWS::IAM::Role\n Properties:\n AssumeRolePolicyDocument:\n Version: '2012-10-17'\n Statement:\n - Effect: Allow\n Principal:\n Service: ec2.amazonaws.com\n Action: sts:AssumeRole\n ManagedPolicyArns: [] # Critical: ensure AdministratorAccess is NOT attached to this role\n```",
"Other": "1. In the AWS Console, go to IAM > Roles\n2. Select the role flagged by the check\n3. On the Permissions tab, under Attached policies, find \"AdministratorAccess\"\n4. Click Detach next to \"AdministratorAccess\"\n5. Confirm the detach",
"Terraform": "```hcl\n# IAM Role without AdministratorAccess\nresource \"aws_iam_role\" \"<example_resource_name>\" {\n assume_role_policy = <<POLICY\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [{\n \"Effect\": \"Allow\",\n \"Principal\": {\"Service\": \"ec2.amazonaws.com\"},\n \"Action\": \"sts:AssumeRole\"\n }]\n}\nPOLICY\n\n managed_policy_arns = [] # Critical: ensures \"AdministratorAccess\" is NOT attached\n}\n```"
},
"Recommendation": {
"Text": "Apply the principle of least privilege. Instead of AdministratorAccess, assign only the permissions necessary for specific roles and tasks. Create custom IAM policies with minimal permissions based on the principle of least privilege.",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege"
"Text": "Apply **least privilege**: avoid attaching `AdministratorAccess` to roles. Grant only task-scoped permissions with custom policies and enforce **separation of duties**.\n\nUse **permissions boundaries**, **SCPs**, and policy conditions to constrain power. Require MFA for break-glass admins, time-bound elevation with approval, and refine access using **Access Analyzer**.",
"Url": "https://hub.prowler.com/check/iam_role_administratoraccess_policy"
}
},
"Categories": [
"trust-boundaries"
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],

36
prowler/providers/aws/services/iam/iam_role_cross_account_readonlyaccess_policy/iam_role_cross_account_readonlyaccess_policy.metadata.json
View File

@@ -1,31 +1,41 @@
{
"Provider": "aws",
"CheckID": "iam_role_cross_account_readonlyaccess_policy",
"CheckTitle": "Ensure IAM Roles do not have ReadOnlyAccess access for external AWS accounts",
"CheckType": [],
"CheckTitle": "IAM role does not grant ReadOnlyAccess to external AWS accounts",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"TTPs/Initial Access/Unauthorized Access",
"Effects/Data Exposure"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsIamRole",
"ResourceGroup": "IAM",
"Description": "Ensure IAM Roles do not have ReadOnlyAccess access for external AWS accounts",
"Risk": "The AWS-managed ReadOnlyAccess policy is highly potent and exposes the customer to a significant data leakage threat. It should be granted very conservatively. For granting access to 3rd party vendors, consider using alternative managed policies, such as ViewOnlyAccess or SecurityAudit.",
"RelatedUrl": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#awsmp_readonlyaccess",
"Description": "**IAM roles** are assessed for the AWS-managed **ReadOnlyAccess** policy combined with a trust policy that allows **external AWS principals** or `*`. This identifies roles that expose broad read permissions to other accounts.",
"Risk": "Granting **cross-account read access** can expose sensitive data and metadata, impacting **confidentiality**. External principals can read S3/DynamoDB contents and enumerate resources, policies, and logs, enabling targeted recon and easier **privilege escalation** paths.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#awsmp_readonlyaccess",
"https://support.icompaas.com/support/solutions/articles/62000233802-ensure-iam-roles-do-not-have-readonlyaccess-access-for-external-aws-accounts"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws iam detach-role-policy --role-name <ROLE_NAME> --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess",
"NativeIaC": "```yaml\n# CloudFormation snippet to prevent cross-account access on a role\nResources:\n <example_resource_name>:\n Type: AWS::IAM::Role\n Properties:\n AssumeRolePolicyDocument:\n Version: '2012-10-17'\n Statement:\n - Effect: Allow\n Principal:\n AWS: arn:aws:iam::<example_account_id>:root # Critical: restrict trust to this account only to avoid cross-account access\n Action: sts:AssumeRole\n```",
"Other": "1. Open the AWS Management Console > IAM > Roles\n2. Select the role granting external access\n3. On the Permissions tab, locate the policy ReadOnlyAccess\n4. Click Detach policy and confirm\n5. Verify the role no longer lists ReadOnlyAccess",
"Terraform": "```hcl\n# Terraform snippet to prevent cross-account access on a role\nresource \"aws_iam_role\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n\n assume_role_policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [{\n Effect = \"Allow\"\n Principal = {\n AWS = \"arn:aws:iam::<example_account_id>:root\" # Critical: trust only the same account to avoid cross-account access\n }\n Action = \"sts:AssumeRole\"\n }]\n })\n}\n```"
},
"Recommendation": {
"Text": "Remove the AWS-managed ReadOnlyAccess policy from all roles that have a trust policy, including third-party cloud accounts, or remove third-party cloud accounts from the trust policy of all roles that need the ReadOnlyAccess policy.",
"Url": "https://docs.securestate.vmware.com/rule-docs/aws-iam-role-cross-account-readonlyaccess-policy"
"Text": "Avoid attaching `ReadOnlyAccess` to roles trusted by other accounts. Apply **least privilege** with custom, tightly scoped policies. Restrict trust to explicit principals, avoid `*`, and use conditions like `aws:PrincipalOrgID` and `sts:ExternalId` for **defense in depth**.",
"Url": "https://hub.prowler.com/check/iam_role_cross_account_readonlyaccess_policy"
}
},
"Categories": [
"trust-boundaries"
"trust-boundaries",
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],

32
prowler/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention.metadata.json
View File

@@ -1,30 +1,40 @@
{
"Provider": "aws",
"CheckID": "iam_role_cross_service_confused_deputy_prevention",
"CheckTitle": "Ensure IAM Service Roles prevents against a cross-service confused deputy attack",
"CheckType": [],
"CheckTitle": "IAM service role prevents cross-service confused deputy attack",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices",
"TTPs/Privilege Escalation"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsIamRole",
"ResourceGroup": "IAM",
"Description": "Ensure IAM Service Roles prevents against a cross-service confused deputy attack",
"Risk": "Allow attackers to gain unauthorized access to resources",
"Description": "**IAM service role** trust policies restrict **AWS service principals** to expected sources using global condition keys like `aws:SourceArn` or `aws:SourceAccount`, avoiding overly broad `sts:AssumeRole` trust relationships.",
"Risk": "Unrestricted service-principal trust lets outsiders trigger a **cross-service confused deputy**, causing unintended `sts:AssumeRole`.\nThis can enable data exfiltration, unauthorized changes, and lateral movement, impacting **confidentiality** and **integrity**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html",
"https://aws.amazon.com/blogs/security/how-to-set-up-least-privilege-access-to-your-encrypted-amazon-sqs-queue/",
"https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html#cross-service-confused-deputy-prevention",
"https://docs.aws.amazon.com/textract/latest/dg/cross-service-confused-deputy-prevention.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws iam update-assume-role-policy --role-name <example_resource_name> --policy-document '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"<service>.amazonaws.com\"},\"Action\":\"sts:AssumeRole\",\"Condition\":{\"StringEquals\":{\"aws:SourceAccount\":\"<ACCOUNT_ID>\"}}}]}'",
"NativeIaC": "```yaml\n# CloudFormation: IAM role trust policy with confused deputy protection\nResources:\n <example_resource_name>:\n Type: AWS::IAM::Role\n Properties:\n AssumeRolePolicyDocument:\n Version: '2012-10-17'\n Statement:\n - Effect: Allow\n Principal:\n Service: <service>.amazonaws.com\n Action: sts:AssumeRole\n Condition:\n StringEquals:\n aws:SourceAccount: <ACCOUNT_ID> # CRITICAL: restricts the service to calls from this account to prevent cross-service confused deputy\n```",
"Other": "1. In the AWS console, go to IAM > Roles\n2. Open <example_resource_name> and select the Trust relationships tab\n3. Click Edit trust policy\n4. In the statement for Principal Service \"<service>.amazonaws.com\", add a Condition block:\n - StringEquals: aws:SourceAccount = <ACCOUNT_ID>\n5. Save changes\n6. Re-run the check to confirm the role now prevents cross-service confused deputy attacks",
"Terraform": "```hcl\n# IAM role trust policy with confused deputy protection\nresource \"aws_iam_role\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n\n # CRITICAL: Condition restricts service to this account to prevent cross-service confused deputy\n assume_role_policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [\n {\n Effect = \"Allow\"\n Principal = { Service = \"<service>.amazonaws.com\" }\n Action = \"sts:AssumeRole\"\n Condition = {\n StringEquals = { \"aws:SourceAccount\" = \"<ACCOUNT_ID>\" }\n }\n }\n ]\n })\n}\n```"
},
"Recommendation": {
"Text": "To mitigate cross-service confused deputy attacks, it's recommended to use the aws:SourceArn and aws:SourceAccount global condition context keys in your IAM role trust policies. If the role doesn't support these fields, consider implementing alternative security measures, such as defining more restrictive resource-based policies or using service-specific trust policies, to limit the role's permissions and exposure. For detailed guidance, refer to AWS's documentation on preventing cross-service confused deputy issues.",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html#cross-service-confused-deputy-prevention"
"Text": "Constrain service-role trust to expected callers using `aws:SourceArn`/`aws:SourceAccount` to bind service principals to specific resources or accounts. If unsupported, apply equivalent limits in resource-based policies or org-level controls. Apply **least privilege** and review trust relationships regularly.",
"Url": "https://hub.prowler.com/check/iam_role_cross_service_confused_deputy_prevention"
}
},
"Categories": [
"identity-access",
"trust-boundaries"
],
"DependsOn": [],

36
prowler/providers/aws/services/iam/iam_root_credentials_management_enabled/iam_root_credentials_management_enabled.metadata.json
View File

@@ -1,35 +1,41 @@
{
"Provider": "aws",
"CheckID": "iam_root_credentials_management_enabled",
"CheckTitle": "Ensure centralized root credentials management is enabled",
"CheckType": [],
"CheckTitle": "AWS Organization has centralized root credentials management enabled",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "Other",
"ResourceGroup": "IAM",
"Description": "Checks if centralized management of root credentials for member accounts in AWS Organizations is enabled. This ensures that root credentials are managed centrally, reducing the risk of unauthorized access or mismanagement.",
"Risk": "Without centralized root credentials management, member accounts retain full control over their root user credentials, increasing the risk of credential misuse, mismanagement, or compromise.",
"RelatedUrl": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user-access-management",
"Description": "**AWS Organizations** uses **centralized root credentials management** to control root user credentials across member accounts.\n\nThis finding evaluates whether the organization has enabled the `RootCredentialsManagement` feature to centrally govern presence and recovery of root passwords, access keys, signing certificates, and MFA.",
"Risk": "Without central control, member accounts can retain or recover long-term root credentials, weakening **confidentiality** and **integrity**.\n\nThreats include:\n- Account takeover via root email recovery\n- Persistent access through root keys\n- Unfixable lockouts from misconfigured policies\n- Bypass of **separation of duties**",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user-access-management",
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-enable-root-access.html"
],
"Remediation": {
"Code": {
"CLI": "aws iam enable-organizations-root-credentials-management",
"NativeIaC": "",
"Other": "",
"Other": "1. Sign in to the AWS Management Console with the management account and open IAM\n2. In the left pane, select \"Root access management\" and click \"Enable\"\n3. In \"Capabilities to enable\", select only \"Root credentials management\"\n4. Click \"Enable\" to apply\n5. If prompted, enable trusted access for IAM in AWS Organizations and retry step 3",
"Terraform": ""
},
"Recommendation": {
"Text": "Enable centralized management of root access for member accounts using the CLI or IAM console.",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-enable-root-access.html"
"Text": "Enable centralized root access with **root credentials management** and assign a **delegated administrator**.\n\nApply **least privilege** and **separation of duties** by deleting long-term root credentials in members, limiting privileged tasks to short-lived sessions, enforcing **MFA**, and auditing root-related activity for **defense in depth**.",
"Url": "https://hub.prowler.com/check/iam_root_credentials_management_enabled"
}
},
"Categories": [],
"DependsOn": [],
"RelatedTo": [
"iam_root_hardware_mfa_enabled",
"iam_root_mfa_enabled",
"iam_no_root_access_key"
"Categories": [
"identity-access",
"secrets"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "This check skips findings for member accounts as they cannot execute the ListOrganizationsFeatures API call, which is restricted to the management account or delegated administrators."
}

28
prowler/providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled.metadata.json
View File

@@ -1,34 +1,40 @@
{
"Provider": "aws",
"CheckID": "iam_root_hardware_mfa_enabled",
"CheckTitle": "Ensure only hardware MFA is enabled for the root account",
"CheckTitle": "Root account has a hardware MFA device enabled",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "critical",
"ResourceType": "AwsIamUser",
"ResourceGroup": "IAM",
"Description": "Ensure only hardware MFA is enabled for the root account",
"Risk": "The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled when a user signs in to an AWS website they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2 it is recommended that the root account be protected with only a hardware MFA.",
"Description": "**AWS root user** credentials are assessed for **MFA status** and device type. The check detects whether MFA is absent or implemented with a **virtual device** instead of **hardware MFA** on the root user, and notes when centralized root credential management is in effect.",
"Risk": "Without **hardware MFA** on the root user:\n- No MFA: stolen password/keys enable full account takeover.\n- Virtual MFA: device compromise or backup restoration weakens second-factor assurance.\nAn attacker could delete resources, change policies, and disable logging, harming **confidentiality**, **integrity**, and **availability**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/root-hardware-mfa.html",
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Other": "1. Sign in to the AWS Management Console as the root user\n2. Open My Security Credentials: https://console.aws.amazon.com/iam/home?#/security_credentials\n3. In the Multi-factor authentication (MFA) section, choose Activate/Assign MFA\n4. Select a hardware option (Security key or Hardware TOTP token) and complete the prompts (for TOTP: enter the device serial and two consecutive codes)\n5. After the hardware MFA is added, locate any Virtual MFA device listed for root and Deactivate/Remove it\n6. Confirm only the hardware MFA remains assigned",
"Terraform": ""
},
"Recommendation": {
"Text": "Using IAM console navigate to Dashboard and expand Activate MFA on your root account. If using AWS Organizations, consider enabling Centralized Root Management and removing individual root credentials.",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa"
"Text": "Require a **hardware MFA token** for the root user and remove any virtual MFA. Apply **least privilege**: avoid using root, disable access keys, and eliminate long-term credentials. In organizations, **centralize root management**. Keep a controlled break-glass process with strict recovery checks and continuous monitoring.",
"Url": "https://hub.prowler.com/check/iam_root_hardware_mfa_enabled"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

27
prowler/providers/aws/services/iam/iam_root_mfa_enabled/iam_root_mfa_enabled.metadata.json
View File

@@ -1,34 +1,39 @@
{
"Provider": "aws",
"CheckID": "iam_root_mfa_enabled",
"CheckTitle": "Ensure MFA is enabled for the root account",
"CheckTitle": "Root account has MFA enabled",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "critical",
"ResourceType": "AwsIamUser",
"ResourceGroup": "IAM",
"Description": "Ensure MFA is enabled for the root account",
"Risk": "The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled when a user signs in to an AWS website they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. When virtual MFA is used for root accounts it is recommended that the device used is NOT a personal device but rather a dedicated mobile device (tablet or phone) that is managed to be kept charged and secured independent of any individual personal devices. (non-personal virtual MFA) This lessens the risks of losing access to the MFA due to device loss / trade-in or if the individual owning the device is no longer employed at the company.",
"Description": "**AWS root user** with active credentials is assessed for **MFA activation**. The evaluation considers whether the root identity has a password or access keys and whether **MFA is enabled**.\n\n*If centralized root access is enabled in Organizations, the presence of individual root credentials is also noted.*",
"Risk": "Without **MFA**, compromise of the root password or access keys can lead to full **account takeover**. An attacker with root can disable protections, steal or delete data, change billing, and create persistent admins, undermining confidentiality, integrity, and availability.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Other": "1. Sign in to the AWS Management Console as the root user (choose \"Sign in as root user\" and enter the account email)\n2. Open the account menu (top right) and click \"Security credentials\"\n3. In \"Multi-factor authentication (MFA)\", choose \"Assign MFA device\" (or \"Activate MFA\")\n4. Select \"Authenticator app\" and click \"Next\"\n5. Scan the QR code with your authenticator app and enter two consecutive MFA codes\n6. Click \"Add MFA\" (or \"Assign MFA\") to complete",
"Terraform": ""
},
"Recommendation": {
"Text": "Using IAM console navigate to Dashboard and expand Activate MFA on your root account. If using AWS Organizations, consider enabling Centralized Root Management and removing individual root credentials.",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa"
"Text": "Enable **MFA** for the root user, preferably **hardware-based** or a dedicated, managed device. Remove root access keys and avoid using root for daily tasks. Apply **least privilege** with IAM Identity Center for admins, and use Organizations to **centralize root access** and eliminate long-lived root credentials.",
"Url": "https://hub.prowler.com/check/iam_root_mfa_enabled"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

34
prowler/providers/aws/services/iam/iam_rotate_access_key_90_days/iam_rotate_access_key_90_days.metadata.json
View File

@@ -1,34 +1,40 @@
{
"Provider": "aws",
"CheckID": "iam_rotate_access_key_90_days",
"CheckTitle": "Ensure access keys are rotated every 90 days or less",
"CheckTitle": "IAM user does not have active access keys older than 90 days",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsIamAccessKey",
"ResourceType": "AwsIamUser",
"ResourceGroup": "IAM",
"Description": "Ensure access keys are rotated every 90 days or less",
"Risk": "Access keys consist of an access key ID and secret access key which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI)- Tools for Windows PowerShell- the AWS SDKs- or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.",
"Description": "**IAM user access keys** are assessed via the credential report. For each active key, the `last_rotated` timestamp is compared to `90 days`; keys exceeding this age are identified. Users without keys or with only recent rotations are noted.",
"Risk": "Long-lived access keys widen the attack window. If a key is leaked in code, logs, or tooling, lack of rotation keeps it valid for abuse, enabling unauthorized API calls, data exfiltration, and tampering. This degrades **confidentiality** and **integrity** and can impact **availability** and cost through destructive or excessive operations.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/access-keys-rotated-90-days.html"
],
"Remediation": {
"Code": {
"CLI": "",
"CLI": "aws iam update-access-key --user-name <USER_NAME> --access-key-id <ACCESS_KEY_ID> --status Inactive",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"Other": "1. Open the IAM console and go to Users\n2. Select the affected user\n3. Open the Security credentials tab\n4. Under Access keys, find any key older than 90 days\n5. Click Actions > Deactivate (or Delete) for that key\n6. Repeat for any other active keys older than 90 days",
"Terraform": "```hcl\nresource \"aws_iam_access_key\" \"<example_resource_name>\" {\n user = \"<example_resource_name>\"\n status = \"Inactive\" # Critical: disables the access key to ensure no active key is older than 90 days\n}\n```"
},
"Recommendation": {
"Text": "Use the credential report to ensure access_key_X_last_rotated is less than 90 days ago.",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html"
"Text": "Apply **least privilege** and limit static credentials:\n- Rotate active access keys at or before `90 days`\n- Prefer **IAM roles** with short-lived tokens\n- Maintain only one active key during rotation; delete the old one\n- Monitor `last_used` and remove dormant keys\n- Automate alerts and periodic reviews of key age",
"Url": "https://hub.prowler.com/check/iam_rotate_access_key_90_days"
}
},
"Categories": [],
"Categories": [
"secrets"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

37
prowler/providers/aws/services/iam/iam_securityaudit_role_created/iam_securityaudit_role_created.metadata.json
View File

@@ -1,34 +1,41 @@
{
"Provider": "aws",
"CheckID": "iam_securityaudit_role_created",
"CheckTitle": "Ensure a Security Audit role has been created to conduct security audits",
"CheckTitle": "At least one IAM role has the SecurityAudit AWS managed policy attached",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "low",
"ResourceType": "AwsIamRole",
"ResourceType": "AwsIamPolicy",
"ResourceGroup": "IAM",
"Description": "Ensure a Security Audit role has been created to conduct security audits",
"Risk": "Creating an IAM role with a security audit policy provides a clear separation of duties between the security team and other teams within the organization. This helps to ensure that security-related activities are performed by authorized individuals with the appropriate expertise and access permissions.",
"Description": "**IAM roles** with the AWS managed `SecurityAudit` policy (`arn:aws:iam::aws:policy/SecurityAudit`) are identified. The focus is on whether a role exists that grants read-only visibility into security-relevant configuration across AWS services.",
"Risk": "Without a dedicated **read-only audit role**, security teams lack safe visibility into configs and logs, enabling **undetected misconfigurations**, slower incident triage, and reliance on over-privileged access. This erodes **confidentiality** and **integrity** by letting exposure persist unnoticed.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SecurityAudit.html",
"https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_security-auditor",
"https://docs.aws.amazon.com/IAM/latest/UserGuide/iam_example_iam_AttachRolePolicy_section.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws iam attach-role-policy --role-name <example_resource_name> --policy-arn arn:aws:iam::aws:policy/SecurityAudit",
"NativeIaC": "```yaml\n# CloudFormation: create a minimal IAM role with SecurityAudit attached\nResources:\n <example_resource_name>:\n Type: AWS::IAM::Role\n Properties:\n AssumeRolePolicyDocument:\n Version: '2012-10-17'\n Statement:\n - Effect: Allow\n Principal:\n AWS: arn:aws:iam::<example_account_id>:root\n Action: sts:AssumeRole\n ManagedPolicyArns:\n - arn:aws:iam::aws:policy/SecurityAudit # CRITICAL: attaches the AWS managed SecurityAudit policy to this role, satisfying the check\n```",
"Other": "1. In the AWS Console, go to IAM > Roles\n2. Open any existing role that is appropriate for read-only security auditing\n3. Click \"Add permissions\" > \"Attach policies\"\n4. Search for \"SecurityAudit\", check the box for the AWS managed policy named SecurityAudit\n5. Click \"Add permissions\" to attach the policy (the account now has at least one role with SecurityAudit attached)",
"Terraform": "```hcl\n# Minimal IAM role plus attachment of the AWS managed SecurityAudit policy\nresource \"aws_iam_role\" \"example\" {\n name = \"<example_resource_name>\"\n assume_role_policy = <<POLICY\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": { \"AWS\": \"arn:aws:iam::<example_account_id>:root\" },\n \"Action\": \"sts:AssumeRole\"\n }\n ]\n}\nPOLICY\n}\n\nresource \"aws_iam_role_policy_attachment\" \"security_audit\" {\n role = aws_iam_role.example.name\n policy_arn = \"arn:aws:iam::aws:policy/SecurityAudit\" # CRITICAL: attaches SecurityAudit to the role to pass the check\n}\n```"
},
"Recommendation": {
"Text": "Create an IAM role for conduct security audits with AWS.",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_security-auditor"
"Text": "Establish a dedicated **audit role** and attach the AWS managed `SecurityAudit` policy. Enforce **least privilege** and **separation of duties**: restrict who can assume it, require **MFA**, monitor usage, and avoid write permissions. Prefer **federated access** and regularly review and rotate access.",
"Url": "https://hub.prowler.com/check/iam_securityaudit_role_created"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

36
prowler/providers/aws/services/iam/iam_support_role_created/iam_support_role_created.metadata.json
View File

@@ -1,34 +1,40 @@
{
"Provider": "aws",
"CheckID": "iam_support_role_created",
"CheckTitle": "Ensure a support role has been created to manage incidents with AWS Support",
"CheckTitle": "At least one IAM role has the AWSSupportAccess managed policy attached",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"Severity": "medium",
"ResourceIdTemplate": "",
"Severity": "low",
"ResourceType": "AwsIamRole",
"ResourceGroup": "IAM",
"Description": "Ensure a support role has been created to manage incidents with AWS Support",
"Risk": "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.",
"Description": "Presence of an **IAM role** that has the AWS managed `AWSSupportAccess` policy attached, designating a support role for interacting with **AWS Support Center** and related tooling.",
"Risk": "Without a dedicated support role:\n- Case creation and escalation can be delayed, prolonging outages (**availability**)\n- Teams may use admin/root, increasing blast radius (**confidentiality/integrity**)\n- Audit trails of support actions are weaker, hindering investigations",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/awssupport/latest/user/using-service-linked-roles-sup.html",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/support-role.html",
"https://icompaas.freshdesk.com/support/solutions/articles/62000081064-ensure-a-support-role-has-been-created-to-manage-incidents-with-aws-support",
"https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSupportAccess.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws iam attach-role-policy --role-name <example_resource_name> --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess",
"NativeIaC": "```yaml\n# CloudFormation: create a role with AWS Support access\nResources:\n ExampleRole:\n Type: AWS::IAM::Role\n Properties:\n AssumeRolePolicyDocument:\n Version: '2012-10-17'\n Statement:\n - Effect: Allow\n Principal:\n AWS: arn:aws:iam::<example_account_id>:user/<example_resource_name>\n Action: sts:AssumeRole\n ManagedPolicyArns:\n - arn:aws:iam::aws:policy/AWSSupportAccess # Critical: attaches AWS Support access so at least one role has this policy (PASS)\n```",
"Other": "1. In the AWS console, go to IAM > Roles\n2. Select any existing role you can use for support access\n3. Click Add permissions (or Attach policies)\n4. Search for \"AWSSupportAccess\" and select it\n5. Click Attach policies to save\n\nThis immediately ensures at least one role has the AWSSupportAccess managed policy (PASS).",
"Terraform": "```hcl\n# IAM role with AWS Support access\nresource \"aws_iam_role\" \"example_resource_name\" {\n name = \"example_resource_name\"\n assume_role_policy = jsonencode({\n Version = \"2012-10-17\",\n Statement = [{\n Effect = \"Allow\",\n Principal = { AWS = \"arn:aws:iam::<example_account_id>:user/<example_resource_name>\" },\n Action = \"sts:AssumeRole\"\n }]\n })\n\n managed_policy_arns = [\n \"arn:aws:iam::aws:policy/AWSSupportAccess\" # Critical: ensures this role has AWSSupportAccess (PASS)\n ]\n}\n```"
},
"Recommendation": {
"Text": "Create an IAM role for managing incidents with AWS.",
"Url": "https://docs.aws.amazon.com/awssupport/latest/user/using-service-linked-roles-sup.html"
"Text": "Create a dedicated IAM role for AWS Support with `AWSSupportAccess` and:\n- Restrict who can assume it; require MFA and time-bound access\n- Enforce **least privilege** and **separation of duties**\n- Monitor usage via audit logs and review assignments regularly",
"Url": "https://hub.prowler.com/check/iam_support_role_created"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "CAF Security Epic: IAM"

29
prowler/providers/aws/services/iam/iam_user_accesskey_unused/iam_user_accesskey_unused.metadata.json
View File

@@ -1,32 +1,41 @@
{
"Provider": "aws",
"CheckID": "iam_user_accesskey_unused",
"CheckTitle": "Ensure unused User Access Keys are disabled",
"CheckTitle": "IAM user does not have unused access keys older than 45 days",
"CheckType": [
"Software and Configuration Checks"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsIamUser",
"ResourceGroup": "IAM",
"Description": "Ensure unused User Access Keys are disabled",
"Risk": "To increase the security of your AWS account, remove IAM user credentials (that is, passwords and access keys) that are not needed. For example, when users leave your organization or no longer need AWS access.",
"Description": "**IAM users** are evaluated for **active access keys** whose `last-used` timestamp exceeds `max_unused_access_keys_days` (default `45`). Users without access keys, or whose keys were used within this window, are reported separately.",
"Risk": "Active yet unused keys expand the attack surface. If leaked, adversaries gain API access for data exfiltration, unauthorized changes, and resource abuse, harming **confidentiality**, **integrity**, and **availability**. Stale credentials also enable persistence and unexpected cost spikes.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html",
"https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html",
"https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/IAM/access-keys-rotated-45-days.html"
],
"Remediation": {
"Code": {
"CLI": "",
"CLI": "aws iam update-access-key --user-name <USER_NAME> --access-key-id <ACCESS_KEY_ID> --status Inactive",
"NativeIaC": "",
"Other": "",
"Other": "1. Sign in to the AWS console and open IAM\n2. Go to Users, select the affected user\n3. Open the Security credentials tab > Access keys\n4. For any key with Last used > 45 days, choose Deactivate (or Delete)\n5. Repeat for any additional unused keys over 45 days for the user",
"Terraform": ""
},
"Recommendation": {
"Text": "Find the credentials that they were using and ensure that they are no longer operational. Ideally, you delete credentials if they are no longer needed. You can always recreate them at a later date if the need arises. At the very least, you should change the password or deactivate the access keys so that the former users no longer have access.",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html"
"Text": "Disable or delete **unused access keys** promptly and prefer **IAM roles** with temporary credentials. Enforce **least privilege**, rotation, and time-bounded access. Monitor `last-used` metadata and automate deactivation of idle keys. Use federation/SSO to avoid long-lived user keys.",
"Url": "https://hub.prowler.com/check/iam_user_accesskey_unused"
}
},
"Categories": [],
"Categories": [
"secrets"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

35
prowler/providers/aws/services/iam/iam_user_administrator_access_policy/iam_user_administrator_access_policy.metadata.json
View File

@@ -1,30 +1,41 @@
{
"Provider": "aws",
"CheckID": "iam_user_administrator_access_policy",
"CheckTitle": "Ensure No IAM Users Have Administrator Access Policy",
"CheckType": [],
"CheckTitle": "IAM user does not have AdministratorAccess policy attached",
"CheckType": [
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
"TTPs/Privilege Escalation"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"Severity": "high",
"ResourceIdTemplate": "",
"Severity": "critical",
"ResourceType": "AwsIamUser",
"ResourceGroup": "IAM",
"Description": "This check ensures that no IAM users in your AWS account have the 'AdministratorAccess' policy attached. IAM users with this policy have unrestricted access to all AWS services and resources, which poses a significant security risk if misused.",
"Risk": "IAM users with administrator-level permissions can perform any action on any resource in your AWS environment. If these permissions are granted to users unnecessarily or to individuals without sufficient knowledge, it can lead to security vulnerabilities, data leaks, data loss, or unexpected charges.",
"RelatedUrl": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html",
"Description": "**IAM users** are evaluated for a direct attachment of the AWS managed policy `AdministratorAccess`. The finding identifies identities where this policy appears among the user's attached policies.",
"Risk": "Assigning an IAM user full admin rights concentrates power in long-lived credentials. If compromised, attackers gain:\n- **Confidentiality**: read/export all data\n- **Integrity**: change configs, policies, code\n- **Availability**: delete resources, disrupt services\nAlso enables persistence and uncontrolled spend.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/admin-permissions.html",
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html",
"https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
],
"Remediation": {
"Code": {
"CLI": "aws iam detach-user-policy --user-name <username> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/admin-permissions.html",
"NativeIaC": "```yaml\n# CloudFormation: ensure IAM user does NOT have AdministratorAccess attached\nResources:\n <example_resource_name>:\n Type: AWS::IAM::User\n Properties:\n ManagedPolicyArns: [] # Critical: empty list ensures 'AdministratorAccess' is NOT attached to this user\n```",
"Other": "1. Sign in to the AWS Console and open IAM\n2. Go to Users and select the target user\n3. Open the Permissions tab\n4. In Attached policies (or Permissions policies), find AdministratorAccess\n5. Select it and click Detach policy (or Remove)\n6. Confirm to detach",
"Terraform": ""
},
"Recommendation": {
"Text": "Replace the 'AdministratorAccess' policy with more specific permissions that follow the Principle of Least Privilege. Consider implementing IAM roles such as 'IAM Master' and 'IAM Manager' to manage permissions more securely.",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
"Text": "Remove direct `AdministratorAccess` from users.\n- Apply **least privilege** with scoped policies\n- Use **federation** and **roles** for temporary admin access\n- Enforce **separation of duties** and approvals\n- Add guardrails (SCPs, permissions boundaries)\n- Require **MFA** and rotate any remaining long-lived credentials",
"Url": "https://hub.prowler.com/check/iam_user_administrator_access_policy"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

33
prowler/providers/aws/services/iam/iam_user_console_access_unused/iam_user_console_access_unused.metadata.json
View File

@@ -1,32 +1,41 @@
{
"Provider": "aws",
"CheckID": "iam_user_console_access_unused",
"CheckTitle": "Ensure unused user console access are disabled",
"CheckTitle": "IAM user console access is disabled, used within the configured inactivity period, or never used",
"CheckType": [
"Software and Configuration Checks"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
"TTPs/Initial Access"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsIamUser",
"ResourceGroup": "IAM",
"Description": "Ensure unused user console access are disabled",
"Risk": "To increase the security of your AWS account, remove IAM user credentials (that is, passwords and access keys) that are not needed. For example, when users leave your organization or no longer need AWS access.",
"Description": "**IAM users** with console access are evaluated by `password_last_used`. Inactivity beyond `max_console_access_days` (default `45`) marks **stale console access**.\n\n*Users without console access are excluded*.",
"Risk": "**Dormant console credentials** stay valid and invite **password spraying**, **credential stuffing**, and breach reuse. Compromise yields interactive access for data discovery/exfiltration and unauthorized IAM or resource changes, degrading **confidentiality** and **integrity**, and risking **availability**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html",
"https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws iam delete-login-profile --user-name <USER_NAME>",
"NativeIaC": "```yaml\n# CloudFormation: IAM user without console access\nResources:\n <example_resource_name>:\n Type: AWS::IAM::User\n Properties:\n UserName: <example_resource_name>\n # Critical: No LoginProfile property -> disables console access for the user\n```",
"Other": "1. Open the IAM console and go to Users\n2. Select the user\n3. Open the Security credentials tab\n4. Click Manage console access\n5. Select Disable console access and Save",
"Terraform": "```hcl\n# IAM user with console access disabled by not creating a login profile\nresource \"aws_iam_user\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n # Critical: Do not define aws_iam_user_login_profile for this user -> no console access\n}\n```"
},
"Recommendation": {
"Text": "Find the credentials that they were using and ensure that they are no longer operational. Ideally, you delete credentials if they are no longer needed. You can always recreate them at a later date if the need arises. At the very least, you should change the password or deactivate the access keys so that the former users no longer have access.",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html"
"Text": "Remove or disable console passwords for users inactive beyond your window (e.g., `45` days). Prefer roles or federation over long-lived IAM users. Enforce **least privilege**, require **MFA** for remaining console users, and run periodic reviews and deprovisioning to prevent unused credentials.",
"Url": "https://hub.prowler.com/check/iam_user_console_access_unused"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

33
prowler/providers/aws/services/iam/iam_user_hardware_mfa_enabled/iam_user_hardware_mfa_enabled.metadata.json
View File

@@ -1,34 +1,43 @@
{
"Provider": "aws",
"CheckID": "iam_user_hardware_mfa_enabled",
"CheckTitle": "Check if IAM users have Hardware MFA enabled.",
"CheckTitle": "IAM user has hardware MFA enabled",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
"TTPs/Initial Access",
"TTPs/Credential Access"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"Severity": "medium",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsIamUser",
"ResourceGroup": "IAM",
"Description": "Check if IAM users have Hardware MFA enabled.",
"Risk": "Hardware MFA is preferred over virtual MFA.",
"Description": "**IAM users** are evaluated for **hardware MFA** enrollment, identifying physical tokens or security keys and distinguishing them from *virtual* or *SMS* MFA, as well as users without any MFA.",
"Risk": "Without **hardware MFA**, authentication is weaker:\n- **SIM-swap** can bypass SMS\n- **Phishing** can steal TOTP from virtual apps\n- No MFA allows password-only takeover\nThis enables unauthorized console/API access, causing data exfiltration (C), privilege abuse (I), and service disruption (A).",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html",
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html",
"https://support.icompaas.com/support/solutions/articles/62000236278-ensure-iam-users-have-hardware-mfa-enabled"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Other": "1. Sign in to the AWS Console and open IAM\n2. Go to Users > select <user> > Security credentials\n3. Under Multi-factor authentication (MFA), if a Virtual MFA device or SMS MFA is listed, choose Deactivate/Remove and confirm\n4. Click Assign MFA device\n5. Select Hardware TOTP token or Security key (FIDO2) and choose Next\n6. For Hardware TOTP: enter the device serial, then enter MFA code 1 and MFA code 2 from the token; for Security key: insert/tap the key and follow the prompts\n7. Choose Add/Save to complete",
"Terraform": ""
},
"Recommendation": {
"Text": "Enable hardware MFA device for an IAM user from the AWS Management Console, the command line, or the IAM API.",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html"
"Text": "Require **hardware-backed MFA** for all IAM users. Prefer **FIDO2 security keys** for phishing resistance over TOTP or SMS. Disallow SMS/virtual MFA for privileged roles. Enforce MFA for all access paths, apply **least privilege**, and provision multiple MFA devices per user for continuity.",
"Url": "https://hub.prowler.com/check/iam_user_hardware_mfa_enabled"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

36
prowler/providers/aws/services/iam/iam_user_mfa_enabled_console_access/iam_user_mfa_enabled_console_access.metadata.json
View File

@@ -1,34 +1,42 @@
{
"Provider": "aws",
"CheckID": "iam_user_mfa_enabled_console_access",
"CheckTitle": "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password.",
"CheckTitle": "IAM user has MFA enabled for console access or no console password is set",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark",
"TTPs/Initial Access",
"TTPs/Credential Access"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsIamUser",
"ResourceGroup": "IAM",
"Description": "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password.",
"Risk": "Unauthorized access to this critical account if password is not secure or it is disclosed in any way.",
"Description": "**IAM users** that have a console password are expected to have **multi-factor authentication** enabled. The evaluation identifies users who can sign in to the AWS Management Console but do not have an active MFA device associated.",
"Risk": "Without **MFA**, a stolen or brute-forced password grants full interactive access. Attackers can: - Change policies or keys - Exfiltrate data - Create backdoor users - Disable logging. This enables account takeover, threatens confidentiality and integrity, and can disrupt availability.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/iam-user-multi-factor-authentication-enabled.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws iam delete-login-profile --user-name <IAM_USER_NAME>",
"NativeIaC": "```yaml\n# CloudFormation: IAM user without a console password\nResources:\n IamUser:\n Type: AWS::IAM::User\n Properties:\n UserName: <example_resource_name>\n # Critical: Do NOT include the LoginProfile property.\n # Omitting LoginProfile ensures no console password is set, making the check pass.\n```",
"Other": "1. Sign in to the AWS Console and open IAM\n2. Go to Users and select the affected user\n3. Open the Security credentials tab\n4. Under Console sign-in, click Remove console password and confirm\n5. Verify that Console password shows Not enabled",
"Terraform": "```hcl\n# IAM user without console password\nresource \"aws_iam_user\" \"user\" {\n name = \"<example_resource_name>\"\n # Critical: Do NOT create an aws_iam_user_login_profile resource.\n # Without a login profile, no console password is set, so the check passes.\n}\n```"
},
"Recommendation": {
"Text": "Enable MFA for the user's account. MFA is a simple best practice that adds an extra layer of protection on top of your user name and password. Recommended to use hardware keys over virtual MFA.",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html"
"Text": "Enforce **MFA** for all console-capable IAM users; prefer **phishing-resistant** authenticators (FIDO2/security keys) and register backups. Remove console passwords for users that don't need them and favor **federation/SSO**. Apply least privilege and require MFA for sensitive actions to prevent unauthorized changes.",
"Url": "https://hub.prowler.com/check/iam_user_mfa_enabled_console_access"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

37
prowler/providers/aws/services/iam/iam_user_no_setup_initial_access_key/iam_user_no_setup_initial_access_key.metadata.json
View File

@@ -1,34 +1,41 @@
{
"Provider": "aws",
"CheckID": "iam_user_no_setup_initial_access_key",
"CheckTitle": "Do not setup access keys during initial user setup for all IAM users that have a console password",
"CheckTitle": "IAM user does not have active access keys that have never been used",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsIamAccessKey",
"ResourceType": "AwsIamUser",
"ResourceGroup": "IAM",
"Description": "Do not setup access keys during initial user setup for all IAM users that have a console password",
"Risk": "AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys. Requiring that additional steps be taken by the user after their profile has been created will give a stronger indication of intent that access keys are (a) necessary for their work and (b) once the access key is established on an account that the keys may be in use somewhere in the organization.",
"Description": "**IAM users** with a console password and active **access keys** that have `last_used` as `N/A` are identified.\n\nThis highlights accounts where programmatic credentials exist but have never been exercised.",
"Risk": "Active yet unused **access keys** expand the attack surface. If exposed, attackers gain programmatic access for unauthorized API calls, causing data exfiltration (**confidentiality**), unauthorized changes (**integrity**), and service disruption (**availability**). Dormant keys also bloat credential inventory, delaying detection and rotation.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html",
"https://support.icompaas.com/support/solutions/articles/62000228293-ensure-there-is-only-one-active-access-key-available-for-any-single-iam-user"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws iam delete-access-key --user-name <example_resource_name> --access-key-id <example_resource_id>",
"NativeIaC": "```yaml\n# CloudFormation: ensure IAM access key is not active\nResources:\n AccessKey:\n Type: AWS::IAM::AccessKey\n Properties:\n UserName: \"<example_resource_name>\"\n Status: Inactive # Critical: disables the key so it isn't active and cannot be flagged as never used\n```",
"Other": "1. In the AWS Console, go to IAM > Users and select the user.\n2. Open the Security credentials tab.\n3. Under Access keys, find keys with Last used = N/A and Status = Active.\n4. Choose Deactivate or Delete for each such key.\n5. Save changes.",
"Terraform": "```hcl\n# Ensure IAM access key is not active\nresource \"aws_iam_access_key\" \"<example_resource_name>\" {\n user = \"<example_resource_name>\"\n status = \"Inactive\" # Critical: disables the key so it isn't active and cannot be flagged as never used\n}\n```"
},
"Recommendation": {
"Text": "From the IAM console: generate credential report and disable not required keys.",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html"
"Text": "Apply **least privilege** to programmatic access:\n- Do not provision access keys by default for console users\n- Prefer **IAM roles** and temporary credentials\n- Require justification and time-bounded key creation\n- Regularly review usage and disable/delete unused keys\n- Limit to one active key per user and enforce rotation with monitoring",
"Url": "https://hub.prowler.com/check/iam_user_no_setup_initial_access_key"
}
},
"Categories": [],
"Categories": [
"identity-access",
"secrets"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "CAF Security Epic: IAM"

37
prowler/providers/aws/services/iam/iam_user_two_active_access_key/iam_user_two_active_access_key.metadata.json
View File

@@ -1,34 +1,43 @@
{
"Provider": "aws",
"CheckID": "iam_user_two_active_access_key",
"CheckTitle": "Check if IAM users have two active access keys",
"CheckTitle": "IAM user has at most one active access key",
"CheckType": [
"Software and Configuration Checks",
"Industry and Regulatory Standards",
"CIS AWS Foundations Benchmark"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsIamUser",
"ResourceGroup": "IAM",
"Description": "Check if IAM users have two active access keys",
"Risk": "Access Keys could be lost or stolen. It creates a critical risk.",
"Description": "**IAM users** are evaluated for having **two `Active` access keys** simultaneously.\n\nThe check identifies users whose two access key slots are enabled at the same time.",
"Risk": "**Two active keys per user** widen exposure and weaken credential governance.\n- Any leaked key enables unauthorized API actions, risking data exfiltration and resource changes\n- Rotation and response become error-prone, allowing attacker persistence if one key remains unnoticed",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/unnecessary-access-keys.html",
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id-credentials-access-keys-update.html",
"https://support.icompaas.com/support/solutions/articles/62000233813-ensure-iam-users-have-two-active-access-keys",
"https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccessKeys.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws iam update-access-key --user-name <IAM_USER_NAME> --access-key-id <ACCESS_KEY_ID> --status Inactive",
"NativeIaC": "```yaml\n# CloudFormation: set one IAM access key to Inactive to ensure only one active key\nResources:\n <example_resource_name>:\n Type: AWS::IAM::AccessKey\n Properties:\n UserName: <example_resource_name>\n Status: Inactive # Critical: deactivates this key so the user doesn't have 2 active keys\n```",
"Other": "1. In the AWS Console, go to IAM > Users\n2. Open the affected user and select the Security credentials tab\n3. In Access keys, find one of the two Active keys\n4. Click Actions > Deactivate on that key\n5. Verify only one key remains Active",
"Terraform": "```hcl\n# Deactivate one IAM access key so the user has at most one active key\nresource \"aws_iam_access_key\" \"<example_resource_name>\" {\n user = \"<example_resource_name>\"\n status = \"Inactive\" # Critical: deactivates this key to avoid 2 active keys\n}\n```"
},
"Recommendation": {
"Text": "Avoid using long lived access keys.",
"Url": "https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccessKeys.html"
"Text": "Maintain **one `Active` access key** per IAM user; permit only a brief overlap for rotation, then promptly deactivate and delete the old key. Prefer **temporary credentials** via roles/federation over long-lived keys. Apply **least privilege**, periodic rotation, and monitor for unused or aged keys.",
"Url": "https://hub.prowler.com/check/iam_user_two_active_access_key"
}
},
"Categories": [],
"Categories": [
"identity-access",
"secrets"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

37
prowler/providers/aws/services/iam/iam_user_with_temporary_credentials/iam_user_with_temporary_credentials.metadata.json
View File

@@ -1,32 +1,41 @@
{
"Provider": "aws",
"CheckID": "iam_user_with_temporary_credentials",
"CheckTitle": "Ensure users make use of temporary credentials assuming IAM roles",
"CheckTitle": "IAM user does not use long-lived credentials to access services other than IAM or STS",
"CheckType": [
"Infrastructure Security"
"Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
"Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"TTPs/Credential Access"
],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:iam::account-id:user/user-name",
"Severity": "medium",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsIamUser",
"ResourceGroup": "IAM",
"Description": "Ensure users make use of temporary credentials assuming IAM roles",
"Risk": "As a best practice, use temporary security credentials (IAM roles) instead of creating long-term credentials like access keys, and don't create AWS account root user access keys.",
"RelatedUrl": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html",
"Description": "IAM users are assessed for activity using **long-lived access keys**. Use of static credentials to access services other than IAM or STS indicates reliance on permanent keys instead of **temporary role-based credentials**.",
"Risk": "Persistent access keys enable attacker **persistence** and replay. Stolen keys allow off-network API calls for data exfiltration, privilege changes, and destructive actions, impacting **confidentiality**, **integrity**, and **availability**. Without expiry, the blast radius grows and containment is harder.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html",
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws iam put-user-policy --user-name <example_resource_name> --policy-name deny-non-iam-sts-with-long-term-creds --policy-document '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"NotAction\":[\"iam:*\",\"sts:*\"],\"Resource\":\"*\",\"Condition\":{\"Null\":{\"aws:TokenIssueTime\":\"true\"}}}]}'",
"NativeIaC": "```yaml\n# Attach a policy to block long-term creds from accessing non-IAM/STS services\nResources:\n DenyLongTermNonIamSts:\n Type: AWS::IAM::Policy\n Properties:\n PolicyName: DenyNonIamStsWithLongTermCreds\n PolicyDocument:\n Version: '2012-10-17'\n Statement:\n - Effect: Deny\n NotAction:\n - iam:*\n - sts:*\n Resource: \"*\"\n Condition:\n Null:\n aws:TokenIssueTime: \"true\" # Critical: denies when no session token (i.e., long-lived creds)\n Users:\n - <example_resource_name> # Critical: attach to the affected IAM user\n```",
"Other": "1. In AWS Console, go to IAM > Users and select <example_resource_name>\n2. Open the Security credentials tab\n3. Under Access keys, deactivate and delete all active access keys\n4. Save changes\n5. Re-test: the user no longer has long-lived credentials to access non-IAM/STS services",
"Terraform": "```hcl\n# Attach an inline policy to block long-term creds from non-IAM/STS services\nresource \"aws_iam_user_policy\" \"deny_non_iam_sts_longterm\" {\n name = \"DenyNonIamStsWithLongTermCreds\"\n user = \"<example_resource_name>\" # Critical: target the affected IAM user\n\n policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [{\n Effect = \"Deny\"\n NotAction = [\"iam:*\", \"sts:*\"]\n Resource = \"*\"\n Condition = {\n Null = { \"aws:TokenIssueTime\" = \"true\" } # Critical: denies when no session token (long-lived creds)\n }\n }]\n })\n}\n```"
},
"Recommendation": {
"Text": "As a best practice, use temporary security credentials (IAM roles) instead of creating long-term credentials like access keys, and don't create AWS account root user access keys.",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html"
"Text": "Adopt **temporary credentials** via IAM roles and federation for humans and workloads. Remove or restrict long-term keys; *if unavoidable*, apply **least privilege**, require **MFA**, rotate aggressively, and monitor usage. Prefer short session durations and session conditions to limit blast radius.",
"Url": "https://hub.prowler.com/check/iam_user_with_temporary_credentials"
}
},
"Categories": [],
"Categories": [
"identity-access",
"secrets"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""