Created
April 13, 2021 16:43
-
-
Save diogoaurelio/40ad95bfae60702b2970e2ac435598d6 to your computer and use it in GitHub Desktop.
InSpec IAM control
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# encoding: utf-8 | |
# copyright: 2021, mk::labs | |
title 'general AWS IAM account best practices' | |
control 'All human users should have MFA enabled' do | |
impact 0.7 | |
title 'Ensure there all human users have MFA enabled' | |
desc 'Ensure there all human users have MFA enabled' | |
tag "severity": 'high' | |
tag "check": "Review your AWS console and note if any IAM users do not | |
have MFA device enabled" | |
tag "fix": "Contact relevant user(s) so that they activate their MFA device" | |
exception_users_list = input('exception_users_list') | |
aws_iam_users.usernames.each do |user| | |
next if exception_users_list.include?(user) | |
describe aws_iam_user(user) do | |
it { should have_mfa_enabled } | |
end | |
end | |
describe aws_iam_root_user do | |
it { should have_mfa_enabled } | |
end | |
end | |
control 'Account should have a strong password policy set' do | |
impact 0.7 | |
title 'Ensure that password policy is setup' | |
desc 'Ensure that password policy is setup' | |
tag "severity": 'high' | |
tag "check": "Review your AWS console and in IAM section check | |
if there is a password policy set" | |
tag "fix": "Configure an account password policy" | |
MIN_PASSWORD_LENGTH = input('min_password_length', value: 8) | |
describe aws_iam_password_policy do | |
it { should exist } | |
it { should require_uppercase_characters } | |
it { should require_lowercase_characters } | |
it { should require_numbers } | |
it { should require_symbols } | |
its('minimum_password_length') { should be >= MIN_PASSWORD_LENGTH } | |
it { should expire_passwords } | |
it { should allow_users_to_change_password } | |
it { should prevent_password_reuse } | |
end | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment