AWS Auto-Checks Detailed Explanations
How to remediate failed Auto Checks?
Enforce MFA on the AWS Root Account
›
Verify CloudTrail is logging management events across all AWS regions
›
Ensure no IAM AWS-managed policies grant full administrative access
›
Confirm that Amazon GuardDuty is enabled for threat detection
›
Ensure the root account does not have any active access keys
›
Confirm IAM Access Analyzer is enabled to monitor access permissions
›
Configure a log metric filter and alarm for unauthorized API calls
›
Configure a log metric filter and alarm for root account usage
›
Ensure customer-managed IAM policies do not grant full administrative access
›
Prevent IAM identities from having inline policies with unrestricted access
›
Block IAM Inline Policies That Enable Privilege Escalation
›
Avoid Full KMS Access in Inline IAM Policies
›
Prevent IAM Inline Policies from Granting Full CloudTrail Access
›
Prevent Overly Permissive Role Assumption in Custom IAM Policies
›
Prevent Privilege Escalation via Customer-Managed IAM Policies
›
Avoid IAM Policies Granting Full CloudTrail Access
›
Avoid IAM Policies Granting Unrestricted KMS Access
›
Prevent IAM Roles from Assigning ReadOnlyAccess Permissions to External AWS Accounts
›
Protect IAM Service Roles from Confused Deputy Attacks Using Proper Trust Policies
›
Avoid Provisioning Access Keys During Initial IAM User Creation When Console Login is Enabled
›
Detect IAM Users with Multiple Active Access Keys and Enforce Key Rotation
›