Add > Policy Pack > Root Account Access Usage #948
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR adds a new Policy Pack for comprehensive root account access monitoring in AWS IAM, expanding beyond the previous simple MFA check to include password and access key usage monitoring. It replaces the existing MFA-only policy pack with a more robust security monitoring solution.
- Replaces the simple MFA check policy pack with comprehensive root account monitoring
- Adds monitoring for password usage, access key 1 and 2 activity within 14-day windows
- Updates documentation to reflect the expanded scope from MFA-only to comprehensive access usage checks
Reviewed Changes
Copilot reviewed 3 out of 5 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
policy_packs/aws/iam/check_root_account_security_usage/policies.tf |
New policy implementation with comprehensive root account monitoring including MFA, password, and access key checks |
policy_packs/aws/iam/check_root_account_security_usage/README.md |
Updated documentation reflecting the expanded scope from MFA-only to comprehensive access usage monitoring |
policy_packs/aws/iam/check_mfa_is_enabled_for_root_accounts/policies.tf |
Removed the old MFA-only policy implementation |
| "title": "Access Key 2", | ||
| "result": "Not approved", | ||
| "message": "Access Key 2 was used within the last 14 days" | ||
| } |
There was a problem hiding this comment.
Missing comma after the JSON object. This will cause a syntax error in the generated JSON array as it's the last item but other blocks above have trailing commas.
| } | |
| }, |
Copilot uses AI. Check for mistakes.
| "title": "Access Key 2", | ||
| "result": "Approved", | ||
| "message": "Access Key 2 not used in last 14 days" | ||
| } |
There was a problem hiding this comment.
Missing comma after the JSON object. This will cause a syntax error in the generated JSON array as it's the last item but other blocks above have trailing commas.
| } | |
| }, |
Copilot uses AI. Check for mistakes.
| "title": "Access Key 2", | ||
| "result": "Approved", | ||
| "message": "Access Key 2 inactive or never used" | ||
| } |
There was a problem hiding this comment.
Missing comma after the JSON object. This will cause a syntax error in the generated JSON array as it's the last item but other blocks above have trailing commas.
| } | |
| }, |
Copilot uses AI. Check for mistakes.
| {# Password Usage Check #} | ||
| {%- if $.root.passwordEnabled == "true" and $.root.passwordLastUsed -%} | ||
| {%- set pwdMs = $.root.passwordLastUsed | date("getTime") -%} | ||
| {%- if pwdMs > fourteenDaysAgo -%} |
There was a problem hiding this comment.
- If a password hasn’t been used for 14 days and the control is in ALARM, will it automatically transition to OK on the fifteenth day, or does it require a manual re-run?
- Similarly, if the control is in OK and the password gets used again, will it automatically re-trigger and move to ALARM?
If this requires manual execution in either case, controls might stay outdated, showing stale ALARM or OK states.
| {%- if $.root.mfaActive == "true" -%} | ||
|
|
||
| {%- set data = { | ||
| "title": "MFA Enabled", |
There was a problem hiding this comment.
Verifying whether root user MFA is enabled or not is a valid and important use case.
However, we should avoid modifying the existing policy pack that customers are already using.
For this specific use case (MFA + Password usage), please create a new, separate policy pack.
|
This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days. |
Added a new Policy pack Root Account Access Usage
This policy pack helps you enforce the following controls on IAM root accounts:
- Check and alert if MFA is not enabled
- Detect if the root password was used in the last 14 days
- Check if Access Key 1 or Access Key 2 was used within the last 14 days
- Identify active access keys that are unused but still present