Service Screener

37

Resources

78

Total Findings

126

Rules Executed

38

Unique Rules

0

Suppressed

46.436s

Timespent

Summary

Filter

Checks

Pillar

Criticality

Show low hanging fruit(s) only

Expand /

Hide all cards

rootMfaActive

Security

Description: Root user can perform sensitive operations in your account, adding an additional layer of authentication helps you to better secure your account. You have NOT enabled Multi-Factor Authentication (MFA) on your root user. AWS MFA is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password (the first factor—what they know), as well as for an authentication code from their AWS MFA device (the second factor—what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.
Resources: GLOBAL: User::root_id
Label: Cost Incurred (maybe)
Recommendation: AWS MFA; IAM Best Practices

userNotUsingGroup

Operation Excellence

Description: 1 users are not within user groups. An IAM user group is a collection of IAM users. User groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users.
Resources: GLOBAL: User::kuettai
Recommendation: IAM Group

InlinePolicy

Operation Excellence

Description: You have set an inline policy for 22 IAM users, groups or roles. An inline policy is a policy that's embedded in an IAM identity (a user, group, or role). In most cases, we recommend that you use managed policies instead of inline policies. This is because managed policies have several additional features such as reusability, central change management, versioning and rolling back, delegating permissions management and automatic updates. Inline policies are useful if you want to maintain a strict one-to-one relationship between a policy and the identity that it's applied to. For example, you want to be sure that the permissions in a policy are not inadvertently assigned to an identity other than the one they're intended for.
Resources: GLOBAL: User::kuettai | Role::AccessAnalyzerTrustedService | Role::AlpoTrustedServiceRole | Role::AVMContainersUserRole | Role::awslogs.prod.kelex.molecule.toppatterns | Role::CloudSecAuditRole | Role::CloudSeerTrustedServiceRole | Role::CodeGuruProfilerForwardToAmazonProfiler | Role::CodeStarWorker-dojo-CloudFormation | Role::CodeStarWorker-dojo-ToolChain | Role::CodeStarWorker-dojo-WebApp | Role::Cognito_dojoIdPAuth_Role | Role::Cognito_dojoIdPUnauth_Role | Role::DocumentUnderstandingSolutionCICD-CodeBuildRole-26NRX1QIOV08 | Role::EC2AdminRole | Role::EpoxyAccessRole | Role::OrthancRole | Role::PACICloudFormationStackSetAdministrationRole | Role::SaltyTrustedService | Role::ServiceScreenerAssumeRole | Role::ShadowTrooperRole | Role::TurtleRoleManagement
Recommendation: AWS Docs

unusedRole

Operation Excellence

Description: You have 32 unused roles in your account. Review the necessities of these roles, and delete them if no longer necessary. By removing unused roles, you can simplify monitoring and improve your security posture.
Resources: GLOBAL: Role::AccessAnalyzerTrustedService | Role::AlpoTrustedServiceRole | Role::AVMContainersUserRole | Role::aws-ec2-spot-fleet-tagging-role | Role::awslogs.prod.kelex.molecule.toppatterns | Role::AWSReservedSSO_AWSAdministratorAccess_fae89f7963febc98 | Role::AWSVAPTAudit | Role::CloudSecAuditRole | Role::CloudSeerTrustedServiceRole | Role::CodeDeployRole | Role::CodeGuruProfilerForwardToAmazonProfiler | Role::CodeStarWorker-dojo-CloudFormation | Role::CodeStarWorker-dojo-ToolChain | Role::CodeStarWorker-dojo-WebApp | Role::Cognito_dojoIdPAuth_Role | Role::Cognito_dojoIdPUnauth_Role | Role::DocumentUnderstandingSolutionCICD-CICDHelperRole-ERDSGV99V9GT | Role::DocumentUnderstandingSolutionCICD-CodeBuildRole-26NRX1QIOV08 | Role::DocumentUnderstandingSolutionCICD-CodePipelineRole-12BUYRAKNJIEQ | Role::DojoEC2AdminRole | Role::EC2AdminRole | Role::EC2CapacityReservationService | Role::EpoxyAccessRole | Role::itadmin | Role::PACICloudFormationStackSetAdministrationRole | Role::PACICloudFormationStackSetExecutionRole | Role::SaltyTrustedService | Role::ServiceScreenerAssumeRole | Role::ServiceScreenerAutomationRole | Role::ShadowTrooperRole | Role::stacksets-exec-7ca18804340a75b25a831ca17fba8659 | Role::TurtleRoleManagement
Recommendation: AWS Blog

roleLongSession

Security

Description: 3 role session duration is longer than the default duration of 60 minutes. Unless your applications and/or federated users need to complete longer running workloads in a single session, it is recommended to stick with the default session duration.
Resources: GLOBAL: Role::AWSReservedSSO_AWSAdministratorAccess_fae89f7963febc98 | Role::itadmin | Role::ServiceScreenerAssumeRole
Label: Testing Required (maybe)
Recommendation: AWS Blog

FullAdminAccess

Security

Description: You have provided full Administrator access to 8 users, groups or roles. It is considered best practice to limit access by following the standard security advice of granting least privilege, or granting only the permissions required to perform a task. Determine what users and roles need to do and then craft policies that allow them to perform only those tasks.
Resources: GLOBAL: Role::AWSReservedSSO_AWSAdministratorAccess_fae89f7963febc98 | Role::DojoEC2AdminRole | Role::EC2AdminRole | Role::itadmin | Role::OrganizationAccountAccessRole | Role::PACICloudFormationStackSetExecutionRole | Role::ServiceScreenerAutomationRole | Role::stacksets-exec-7ca18804340a75b25a831ca17fba8659
Recommendation: AWS Docs; Organization GuardRail Blog

ManagedPolicyFullAccessOneServ

Security

Description: You have set a managed policy giving 2 users, groups and/or roles full access to one service. It is considered best practice to limit access by following the standard security advice of granting least privilege, or granting only the permissions required to perform a task. Determine what users and roles need to do and then craft policies that allow them to perform only those tasks.
Resources: GLOBAL: Role::CodeStarWorker-dojo-ToolChain | Role::OrthancRole
Recommendation: AWS Docs

InlinePolicyFullAccessOneServ

Security

Description: You have set an inline policy giving 2 users, groups and/or roles full access to one service. Consider switching to managed policies instead. It is also considered best practice to limit access by following the standard security advice of granting least privilege, or granting only the permissions required to perform a task. Determine what users and roles need to do and then craft policies that allow them to perform only those tasks.
Resources: GLOBAL: Role::Cognito_dojoIdPAuth_Role | Role::Cognito_dojoIdPUnauth_Role
Recommendation: AWS Docs

hasAWSBackupPlans

Reliability

Description: AWS Backup plans are not configured. AWS Backup provides centralized backup management across AWS services including RDS, DynamoDB, EBS, EFS, and more. Configure AWS Backup plans to ensure regular backups are taken automatically based on a periodic schedule. This ensures you have the ability to recover from administrative, logical, or physical error scenarios. AWS Backup simplifies backup management and provides a single place to configure and audit the backup-related activity of your AWS resources.
Resources: GLOBAL: Account::Config
Label: Cost Incurred
Recommendation: AWS Backup; Getting Started

enableCURReport

Cost Optimization

Description: Cost and Usage Reports (CUR) has not been setup in this accounts. Setup CUR for better cost analysis.
Resources: GLOBAL: Account::Config
Label: Cost Incurred
Recommendation: Creating Cost and Usage Reports

passwordPolicy

Security

Description: You have not set a custom password policy. Setting a custom password policy will allow you to have the ability to require strong password practices, such as complexity level, avoiding re-use, and enforcing multi-factor authentication (MFA). If you don't set a custom password policy, IAM user passwords must meet the default AWS password policy.
Resources: GLOBAL: Account::Config
Recommendation: IAM Password Policy

enableCostBudget

Cost Optimization

Description: AWS Budgets enable monitoring of monthly costs and usage with notifications when costs are forecasted to exceed target thresholds. Forecasted cost notifications can provide an indication of unexpected activity, providing extra defense in addition to other monitoring systems, such as AWS Trusted Advisor and Amazon GuardDuty. Monitoring and understanding your AWS costs is also part of good operational hygiene.
Resources: GLOBAL: Account::Config
Recommendation: Create a budget

PartialEnableConfigService

Security

Description: Not all regions has Config enabled. The AWS Config service performs configuration management of supported AWS resources in your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items, and any configuration changes between resources.
Resources: GLOBAL: Account::Config
Label: Cost Incurred
Recommendation: Enable AWS Config

hasAlternateContact

Security

Description: Alternate account contacts help AWS get in contact with the appropriate personnel if needed. Configure the account’s alternate contacts to point to a group rather than an individual. For example, create separate email distribution lists for billing, operations, and security and configure these as Billing, Security, and Operations contacts in each active AWS account. This ensures that multiple people will receive AWS notifications and be able to respond, even if someone is on vacation, changes roles, or leaves the company.
Resources: GLOBAL: Account::Config
Recommendation: Alternate Contact

supportPlanLowTier

Operation Excellence

Description: It is recommended that you subscribe to the AWS Business Support tier or higher for all of your AWS production accounts. For more information, refer to Compare AWS Support Plans. If you don't have premium support, you must have an action plan to handle issues which require help from AWS Support. AWS Support provides a mix of tools and technology, people, and programs designed to proactively help you optimize performance, lower costs, and innovate faster. AWS Business Support provides additional benefits including access to AWS Trusted Advisor and AWS Personal Health Dashboard and faster response times.
Resources: GLOBAL: Account::Config
Label: Cost Incurred
Recommendation: AWS Support Plan; Guide

Detail

GLOBAL

1. root_id

Check	Current Value	Recommendation
rootMfaActive	Inactive	Enable MFA on root user

2. kuettai

Check	Current Value	Recommendation
userNotUsingGroup	-	Place IAM user within User Group
InlinePolicy	EpoxyMitigationsDenyAll ss-test-inline	Use managed policies

3. AccessAnalyzerTrustedService

Check	Current Value	Recommendation
unusedRole	1568 days passed	Review & remove inactive roles
InlinePolicy	AccessAnalyzerTrustedServicePolicy	Use managed policies

4. AlpoTrustedServiceRole

Check	Current Value	Recommendation
unusedRole	118 days passed	Review & remove inactive roles
InlinePolicy	AlpoServiceAccessPolicy	Use managed policies

5. AVMContainersUserRole

Check	Current Value	Recommendation
unusedRole	1024 days passed	Review & remove inactive roles
InlinePolicy	AWSContainerAssessmentPolicy	Use managed policies

6. aws-ec2-spot-fleet-tagging-role

Check	Current Value	Recommendation
unusedRole	1860 days passed	Review & remove inactive roles

7. awslogs.prod.kelex.molecule.toppatterns

Check	Current Value	Recommendation
unusedRole	629 days passed	Review & remove inactive roles
InlinePolicy	AWSLogsOptimizerPolicy	Use managed policies

8. AWSReservedSSO_AWSAdministratorAccess_fae89f7963febc98

Check	Current Value	Recommendation
roleLongSession	43200	Review & reduce max session duration
unusedRole	32 days	Review & remove inactive roles
FullAdminAccess	AdministratorAccess	Limit permissions.

9. AWSVAPTAudit

Check	Current Value	Recommendation
unusedRole	1643 days passed	Review & remove inactive roles

10. CloudSecAuditRole

Check	Current Value	Recommendation
unusedRole	559 days passed	Review & remove inactive roles
InlinePolicy	CloudSecAuditPolicy-prod	Use managed policies

11. CloudSeerTrustedServiceRole

Check	Current Value	Recommendation
unusedRole	605 days	Review & remove inactive roles
InlinePolicy	CloudSeerTrustedServicePolicy	Use managed policies

12. CodeDeployRole

Check	Current Value	Recommendation
unusedRole	1860 days passed	Review & remove inactive roles

13. CodeGuruProfilerForwardToAmazonProfiler

Check	Current Value	Recommendation
unusedRole	790 days passed	Review & remove inactive roles
InlinePolicy	CodeGuruProfilerPolicy	Use managed policies

14. CodeStarWorker-dojo-CloudFormation

Check	Current Value	Recommendation
unusedRole	1842 days passed	Review & remove inactive roles
InlinePolicy	CodeStarWorkerCloudFormationRolePolicy	Use managed policies

15. CodeStarWorker-dojo-ToolChain

Check	Current Value	Recommendation
unusedRole	1842 days passed	Review & remove inactive roles
ManagedPolicyFullAccessOneServ	AWSCodeStarFullAccess AWSCodeBuildAdminAccess AWSCodeCommitFullAccess AWSLambdaFullAccess AWSCodeDeployFullAccess AWSElasticBeanstalkFullAccess CloudWatchEventsFullAccess AWSCodePipeline_FullAccess	Limit permissions.
InlinePolicy	ToolChainWorkerPolicy	Use managed policies

16. CodeStarWorker-dojo-WebApp

Check	Current Value	Recommendation
unusedRole	1842 days passed	Review & remove inactive roles
InlinePolicy	CodeStarWorkerBackendPolicy	Use managed policies

17. Cognito_dojoIdPAuth_Role

Check	Current Value	Recommendation
unusedRole	1873 days passed	Review & remove inactive roles
InlinePolicy	oneClick_Cognito_dojoIdPAuth_Role_1606463253534	Use managed policies
InlinePolicyFullAccessOneServ	oneClick_Cognito_dojoIdPAuth_Role_1606463253534	Limit access in policy

18. Cognito_dojoIdPUnauth_Role

Check	Current Value	Recommendation
unusedRole	1873 days passed	Review & remove inactive roles
InlinePolicy	oneClick_Cognito_dojoIdPUnauth_Role_1606463253534	Use managed policies
InlinePolicyFullAccessOneServ	oneClick_Cognito_dojoIdPUnauth_Role_1606463253534	Limit access in policy

19. DocumentUnderstandingSolutionCICD-CICDHelperRole-ERDSGV99V9GT

Check	Current Value	Recommendation
unusedRole	1826 days passed	Review & remove inactive roles

20. DocumentUnderstandingSolutionCICD-CodeBuildRole-26NRX1QIOV08

Check	Current Value	Recommendation
unusedRole	1826 days passed	Review & remove inactive roles
InlinePolicy	document-understanding-reference-architecture-codebuild	Use managed policies

21. DocumentUnderstandingSolutionCICD-CodePipelineRole-12BUYRAKNJIEQ

Check	Current Value	Recommendation
unusedRole	1826 days passed	Review & remove inactive roles

22. DojoEC2AdminRole

Check	Current Value	Recommendation
unusedRole	1866 days passed	Review & remove inactive roles
FullAdminAccess	AdministratorAccess	Limit permissions.

23. EC2AdminRole

Check	Current Value	Recommendation
unusedRole	1937 days passed	Review & remove inactive roles
FullAdminAccess	AdministratorAccess	Limit permissions.
InlinePolicy	QuickSightGetDashboardURL	Use managed policies

24. EC2CapacityReservationService

Check	Current Value	Recommendation
unusedRole	1937 days passed	Review & remove inactive roles

25. EpoxyAccessRole

Check	Current Value	Recommendation
unusedRole	29 days passed	Review & remove inactive roles
InlinePolicy	EpoxyAccessPolicy	Use managed policies

26. itadmin

Check	Current Value	Recommendation
roleLongSession	43200	Review & reduce max session duration
unusedRole	491 days	Review & remove inactive roles
FullAdminAccess	AdministratorAccess	Limit permissions.

27. OrganizationAccountAccessRole

Check	Current Value	Recommendation
FullAdminAccess	AdministratorAccess	Limit permissions.

28. OrthancRole

Check	Current Value	Recommendation
ManagedPolicyFullAccessOneServ	AmazonGuardDutyFullAccess_v2	Limit permissions.
InlinePolicy	AmazonGuardDutyFullAccess	Use managed policies

29. PACICloudFormationStackSetAdministrationRole

Check	Current Value	Recommendation
unusedRole	491 days	Review & remove inactive roles
InlinePolicy	AssumeRole-PACICloudFormationStackSetExecutionRole	Use managed policies

30. PACICloudFormationStackSetExecutionRole

Check	Current Value	Recommendation
unusedRole	491 days	Review & remove inactive roles
FullAdminAccess	AdministratorAccess	Limit permissions.

31. SaltyTrustedService

Check	Current Value	Recommendation
unusedRole	471 days passed	Review & remove inactive roles
InlinePolicy	SaltyTrustedServicePolicy	Use managed policies

32. ServiceScreenerAssumeRole

Check	Current Value	Recommendation
roleLongSession	14400	Review & reduce max session duration
unusedRole	778 days	Review & remove inactive roles
InlinePolicy	CloudFormationCreateStack	Use managed policies

33. ServiceScreenerAutomationRole

Check	Current Value	Recommendation
unusedRole	342 days	Review & remove inactive roles
FullAdminAccess	AdministratorAccess	Limit permissions.

34. ShadowTrooperRole

Check	Current Value	Recommendation
unusedRole	622 days passed	Review & remove inactive roles
InlinePolicy	ShadowTrooperPolicy-prod	Use managed policies

35. stacksets-exec-7ca18804340a75b25a831ca17fba8659

Check	Current Value	Recommendation
unusedRole	776 days	Review & remove inactive roles
FullAdminAccess	AdministratorAccess	Limit permissions.

36. TurtleRoleManagement

Check	Current Value	Recommendation
unusedRole	728 days passed	Review & remove inactive roles
InlinePolicy	TurtleRoleManagementPolicy	Use managed policies

37. Config

Check	Current Value	Recommendation
hasAWSBackupPlans	No AWS Backup plans configured	Configure AWS Backup plans
enableCURReport		Setup Cost and Usage Report
passwordPolicy	NoSuchEntity	Set a custom password policy.
enableCostBudget		Monitor your AWS spending
PartialEnableConfigService	us-east-1	Enable AWS Config
hasAlternateContact	No alternate contacts	Configure AWS account contacts
supportPlanLowTier		Subscribe to the AWS Business Support tier (or higher)

IAM

37

78

126

38

0

46.436s

Summary

Filter

rootMfaActive

userNotUsingGroup

InlinePolicy

unusedRole

roleLongSession

FullAdminAccess

ManagedPolicyFullAccessOneServ

InlinePolicyFullAccessOneServ

hasAWSBackupPlans

enableCURReport

passwordPolicy

enableCostBudget

PartialEnableConfigService

hasAlternateContact

supportPlanLowTier

Detail

GLOBAL

1. root_id

2. kuettai

3. AccessAnalyzerTrustedService

4. AlpoTrustedServiceRole

5. AVMContainersUserRole

6. aws-ec2-spot-fleet-tagging-role

7. awslogs.prod.kelex.molecule.toppatterns

8. AWSReservedSSO_AWSAdministratorAccess_fae89f7963febc98

9. AWSVAPTAudit

10. CloudSecAuditRole

11. CloudSeerTrustedServiceRole

12. CodeDeployRole

13. CodeGuruProfilerForwardToAmazonProfiler

14. CodeStarWorker-dojo-CloudFormation

15. CodeStarWorker-dojo-ToolChain

16. CodeStarWorker-dojo-WebApp

17. Cognito_dojoIdPAuth_Role

18. Cognito_dojoIdPUnauth_Role

19. DocumentUnderstandingSolutionCICD-CICDHelperRole-ERDSGV99V9GT

20. DocumentUnderstandingSolutionCICD-CodeBuildRole-26NRX1QIOV08

21. DocumentUnderstandingSolutionCICD-CodePipelineRole-12BUYRAKNJIEQ

22. DojoEC2AdminRole

23. EC2AdminRole

24. EC2CapacityReservationService

25. EpoxyAccessRole

26. itadmin

27. OrganizationAccountAccessRole

28. OrthancRole

29. PACICloudFormationStackSetAdministrationRole

30. PACICloudFormationStackSetExecutionRole

31. SaltyTrustedService

32. ServiceScreenerAssumeRole

33. ServiceScreenerAutomationRole

34. ShadowTrooperRole

35. stacksets-exec-7ca18804340a75b25a831ca17fba8659

36. TurtleRoleManagement

37. Config