IAM Policies

How to Use this Page

This page lists the AWS IAM Policies that Bridgecrew helps you enforce. You can browse this page, or search for a specific policy ID or short title. For each policy, press the link for more details about a policy and its fix options.

Ensure using AWS Account root user is avoided
Policy ID: BC_AWS_IAM_1

Ensure MFA is enabled for all IAM users with a console password
Policy ID: BC_AWS_IAM_2

Ensure credentials unused for 90 days or greater are disabled
Policy ID: BC_AWS_IAM_3

Ensure access keys are rotated every 90 days or less
Policy ID: BC_AWS_IAM_4

Ensure AWS IAM password policy has an uppercase character
Policy ID: BC_AWS_IAM_5

Ensure AWS IAM password policy has a lowercase character
Policy ID: BC_AWS_IAM_6

Ensure AWS IAM password policy has a symbol
Policy ID: BC_AWS_IAM_7

Ensure AWS IAM password policy has a number
Policy ID: BC_AWS_IAM_8

Ensure AWS IAM password policy has a minimum of 14 characters
Policy ID: BC_AWS_IAM_9

Ensure AWS IAM password policy does not allow password reuse
Policy ID: BC_AWS_IAM_10

Ensure AWS IAM password policy expires in 90 days or less
Policy ID: BC_AWS_IAM_11

Ensure no root account access key exists
Policy ID: BC_AWS_IAM_12

Ensure MFA is enabled for root account
Policy ID: BC_AWS_IAM_13

Ensure hardware MFA for root account is enabled
Policy ID: BC_AWS_IAM_14

Ensure security questions are registered in the AWS account
Policy ID: BC_AWS_IAM_15

Ensure IAM policies are only attached to Groups and Roles
Policy ID: BC_AWS_IAM_16

Ensure detailed billing is enabled
Policy ID: BC_AWS_IAM_17

Ensure AWS account contact details are up-to-date
Policy ID: BC_AWS_IAM_18

Ensure security contact information is registered
Policy ID: BC_AWS_IAM_19

Ensure IAM instance roles are used for AWS resource access from instances
Policy ID: BC_AWS_IAM_20

Ensure an IAM role has been created to manage incidents with AWS Support
Policy ID: BC_AWS_IAM_21

Ensure access keys are not created during initial user setup for IAM users with a console password
Policy ID: BC_AWS_IAM_22

Ensure IAM policies that allow full administrative privileges are not created
Policy ID: BC_AWS_IAM_23

Ensure access keys are rotated every 30 days or less
Policy ID: BC_AWS_IAM_24

Ensure access keys are rotated every 45 days or less
Policy ID: BC_AWS_IAM_25

Ensure active access keys are used every 90 days or less
Policy ID: BC_AWS_IAM_29

Ensure IAM users that are inactive for 30 days or more are deactivated
Policy ID: BC_AWS_IAM_30

Ensure unused IAM Users and Roles are removed
Policy ID: BC_AWS_IAM_34

Ensure user accounts unused for 90 days are removed
Policy ID: BC_AWS_IAM_35

Ensure user accounts with administrative privileges unused for 90 days are removed
Policy ID: BC_AWS_IAM_36

Ensure user accounts with administrative privileges unused for 90 days are removed
Policy ID: BC_AWS_IAM_37

Ensure empty IAM groups are removed
Policy ID: BC_AWS_IAM_38

Ensure unattached policies are removed
Policy ID: BC_AWS_IAM_39

Ensure unused policies are detached from users
Policy ID: BC_AWS_IAM_40

Ensure unused policies are detached from roles
Policy ID: BC_AWS_IAM_41

Ensure unused policies are detached from groups
Policy ID: BC_AWS_IAM_42

Ensure IAM policy documents do not allow * (asterisk) as a statement's action
Policy ID: BC_AWS_IAM_43

Ensure IAM role allows only specific services or principals to be assumed
Policy ID: BC_AWS_IAM_44

Ensure AWS IAM policy does not allow assume role permission across all services
Policy ID: BC_AWS_IAM_45

Ensure SQS policy documents do not allow * (asterisk) as a statement's action
Policy ID: BC_AWS_IAM_46

Ensure AWS IAM policy does not allow full administrative privileges
Policy ID: BC_AWS_IAM_47

Ensure IAM policy documents do not allow * (asterisk) as a statement's action
Policy ID: BC_AWS_IAM_48

Ensure excessive permissions are not granted for IAM users
Policy ID: BC_AWS_IAM_49

Ensure excessive permissions are not granted for IAM roles
Policy ID: BC_AWS_IAM_50

Ensure excessive permissions are not granted for IAM groups
Policy ID: BC_AWS_IAM_51

Ensure excessive permissions are not granted for IAM policy
Policy ID: BC_AWS_IAM_52

Ensure credentials unused for 180 days or greater are disabled
Policy ID: BC_AWS_IAM_53

Ensure IAM policies do not allow credentials exposure for ECR
Policy ID: BC_AWS_IAM_54

Ensure IAM policies do not allow data exfiltration
Policy ID: BC_AWS_IAM_55

Ensure IAM policies do not allow permissions management / resource exposure without constraint
Policy ID: BC_AWS_IAM_56

Ensure IAM policies does not allow write access without constraint
Policy ID: BC_AWS_IAM_57

Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
Policy ID: BC_AWS_IAM_59

Ensure respective logs of Amazon RDS are enabled
Policy ID: BC_AWS_IAM_60

Ensure IAM groups include at least one IAM user
Policy ID: BC_AWS_IAM_61

Ensure all IAM users are members of at least one IAM group
Policy ID: BC_AWS_IAM_62

Ensure KMS key policy does not contain wildcard (*) principal
Policy ID: BC_AWS_IAM_63

Ensure IAM policies does not allow privilege escalation
Policy ID: BC_AWS_IAM_64

Ensure RDS database has IAM authentication enabled
Policy ID: BC_AWS_IAM_65

Ensure RDS cluster has IAM authentication enabled
Policy ID: BC_AWS_IAM_66

Ensure an IAM User does not have access to the console
Policy ID: BC_AWS_IAM_67

Ensure IAM configuration modifications are detected
Policy ID: BC_AWS_ALERT_5