LSSEC01-BP03 Set up alerts for IAM configuration changes and perform audits

Compliance-related access rules should be automated with alerting or automated risk mitigation actions.

Desired outcome: Ability to mitigate the risk of irregular access configurations.

Level of risk exposed if this best practice is not established: High

Implementation guidance

Set up alerts for monitoring activities by users with increased privileges.

Perform periodic audits of control effectiveness.

Set up alerts to notify on AWS IAM configuration changes including when an IAM user is created or when conflicting permissions are added to a user or role, such as being able to approve its own requests on a given workflow.
1. The added notification can be set up using a combination of AWS CloudTrail, Amazon CloudWatch, and Amazon SNS.
Automate permissions management and refinement through IAM Access Analyzer with security integration workflows that alert teams to access policy changes. For unused roles, access keys, or passwords, IAM Access Analyzer provides quick links in the console to assist you to delete them. For unused permissions, IAM Access Analyzer reviews your existing policies and recommends a refined policy that is tailored to your access activity.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

LSSEC01-BP02 Maintain a history of IAM configurations and changes over time

Data privacy