Service Screener

36

Resources

74

Total Findings

122

Rules Executed

37

Unique Rules

0

Exception

60.517s

Timespent

Summary

Filter

Checks

Pillar

Criticality

Show low hanging fruit(s) only

Expand /

Hide all cards

rootMfaActive

Security

Description: Root user can perform sensitive operations in your account, adding an additional layer of authentication helps you to better secure your account. You have NOT enabled Multi-Factor Authentication (MFA) on your root user. AWS MFA is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password (the first factor—what they know), as well as for an authentication code from their AWS MFA device (the second factor—what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.
Resources: GLOBAL: User::root_id
Label: Cost Incurred (maybe)
Recommendation: AWS MFA; IAM Best Practices

userNotUsingGroup

Operation Excellence

Description: 1 users are not within user groups. An IAM user group is a collection of IAM users. User groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users.
Resources: GLOBAL: User::kuettai
Recommendation: IAM Group

InlinePolicy

Operation Excellence

Description: You have set an inline policy for 21 IAM users, groups or roles. An inline policy is a policy that's embedded in an IAM identity (a user, group, or role). In most cases, we recommend that you use managed policies instead of inline policies. This is because managed policies have several additional features such as reusability, central change management, versioning and rolling back, delegating permissions management and automatic updates. Inline policies are useful if you want to maintain a strict one-to-one relationship between a policy and the identity that it's applied to. For example, you want to be sure that the permissions in a policy are not inadvertently assigned to an identity other than the one they're intended for.
Resources: GLOBAL: User::kuettai | Role::AccessAnalyzerTrustedService | Role::AVMContainersUserRole | Role::awslogs.prod.kelex.molecule.toppatterns | Role::CloudSecAuditRole | Role::CloudSeerTrustedServiceRole | Role::CodeGuruProfilerForwardToAmazonProfiler | Role::CodeStarWorker-dojo-CloudFormation | Role::CodeStarWorker-dojo-ToolChain | Role::CodeStarWorker-dojo-WebApp | Role::Cognito_dojoIdPAuth_Role | Role::Cognito_dojoIdPUnauth_Role | Role::DocumentUnderstandingSolutionCICD-CodeBuildRole-26NRX1QIOV08 | Role::EC2AdminRole | Role::IMDSv2-automigrator | Role::OrthancRole | Role::PACICloudFormationStackSetAdministrationRole | Role::SaltyTrustedService | Role::ServiceScreenerAssumeRole | Role::ShadowTrooperRole | Role::TurtleRoleManagement
Recommendation: AWS Docs

unusedRole

Operation Excellence

Description: You have 30 unused roles in your account. Review the necessities of these roles, and delete them if no longer necessary. By removing unused roles, you can simplify monitoring and improve your security posture.
Resources: GLOBAL: Role::AccessAnalyzerTrustedService | Role::AVMContainersUserRole | Role::aws-ec2-spot-fleet-tagging-role | Role::awslogs.prod.kelex.molecule.toppatterns | Role::AWSVAPTAudit | Role::CloudSecAuditRole | Role::CloudSeerTrustedServiceRole | Role::CodeDeployRole | Role::CodeGuruProfilerForwardToAmazonProfiler | Role::CodeStarWorker-dojo-CloudFormation | Role::CodeStarWorker-dojo-ToolChain | Role::CodeStarWorker-dojo-WebApp | Role::Cognito_dojoIdPAuth_Role | Role::Cognito_dojoIdPUnauth_Role | Role::DocumentUnderstandingSolutionCICD-CICDHelperRole-ERDSGV99V9GT | Role::DocumentUnderstandingSolutionCICD-CodeBuildRole-26NRX1QIOV08 | Role::DocumentUnderstandingSolutionCICD-CodePipelineRole-12BUYRAKNJIEQ | Role::DojoEC2AdminRole | Role::EC2AdminRole | Role::EC2CapacityReservationService | Role::IMDSv2-automigrator | Role::itadmin | Role::PACICloudFormationStackSetAdministrationRole | Role::PACICloudFormationStackSetExecutionRole | Role::SaltyTrustedService | Role::ServiceScreenerAssumeRole | Role::ServiceScreenerAutomationRole | Role::ShadowTrooperRole | Role::stacksets-exec-7ca18804340a75b25a831ca17fba8659 | Role::TurtleRoleManagement
Recommendation: AWS Blog

roleLongSession

Security

Description: 3 role session duration is longer than the default duration of 60 minutes. Unless your applications and/or federated users need to complete longer running workloads in a single session, it is recommended to stick with the default session duration.
Resources: GLOBAL: Role::AWSReservedSSO_AWSAdministratorAccess_fae89f7963febc98 | Role::itadmin | Role::ServiceScreenerAssumeRole
Label: Testing Required (maybe)
Recommendation: AWS Blog

FullAdminAccess

Security

Description: You have provided full Administrator access to 8 users, groups or roles. It is considered best practice to limit access by following the standard security advice of granting least privilege, or granting only the permissions required to perform a task. Determine what users and roles need to do and then craft policies that allow them to perform only those tasks.
Resources: GLOBAL: Role::AWSReservedSSO_AWSAdministratorAccess_fae89f7963febc98 | Role::DojoEC2AdminRole | Role::EC2AdminRole | Role::itadmin | Role::OrganizationAccountAccessRole | Role::PACICloudFormationStackSetExecutionRole | Role::ServiceScreenerAutomationRole | Role::stacksets-exec-7ca18804340a75b25a831ca17fba8659
Recommendation: AWS Docs; Organization GuardRail Blog

ManagedPolicyFullAccessOneServ

Security

Description: You have set a managed policy giving 2 users, groups and/or roles full access to one service. It is considered best practice to limit access by following the standard security advice of granting least privilege, or granting only the permissions required to perform a task. Determine what users and roles need to do and then craft policies that allow them to perform only those tasks.
Resources: GLOBAL: Role::CodeStarWorker-dojo-ToolChain | Role::OrthancRole
Recommendation: AWS Docs

InlinePolicyFullAccessOneServ

Security

Description: You have set an inline policy giving 2 users, groups and/or roles full access to one service. Consider switching to managed policies instead. It is also considered best practice to limit access by following the standard security advice of granting least privilege, or granting only the permissions required to perform a task. Determine what users and roles need to do and then craft policies that allow them to perform only those tasks.
Resources: GLOBAL: Role::Cognito_dojoIdPAuth_Role | Role::Cognito_dojoIdPUnauth_Role
Recommendation: AWS Docs

enableCURReport

Cost Optimization

Description: Cost and Usage Reports (CUR) has not been setup in this accounts. Setup CUR for better cost analysis.
Resources: GLOBAL: Account::Config
Label: Cost Incurred
Recommendation: Creating Cost and Usage Reports

PartialEnableConfigService

Security

Description: Not all regions has Config enabled. The AWS Config service performs configuration management of supported AWS resources in your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items, and any configuration changes between resources.
Resources: GLOBAL: Account::Config
Label: Cost Incurred
Recommendation: Enable AWS Config

hasAlternateContact

Security

Description: Alternate account contacts help AWS get in contact with the appropriate personnel if needed. Configure the account’s alternate contacts to point to a group rather than an individual. For example, create separate email distribution lists for billing, operations, and security and configure these as Billing, Security, and Operations contacts in each active AWS account. This ensures that multiple people will receive AWS notifications and be able to respond, even if someone is on vacation, changes roles, or leaves the company.
Resources: GLOBAL: Account::Config
Recommendation: Alternate Contact

enableCostBudget

Cost Optimization

Description: AWS Budgets enable monitoring of monthly costs and usage with notifications when costs are forecasted to exceed target thresholds. Forecasted cost notifications can provide an indication of unexpected activity, providing extra defense in addition to other monitoring systems, such as AWS Trusted Advisor and Amazon GuardDuty. Monitoring and understanding your AWS costs is also part of good operational hygiene.
Resources: GLOBAL: Account::Config
Recommendation: Create a budget

passwordPolicy

Security

Description: You have not set a custom password policy. Setting a custom password policy will allow you to have the ability to require strong password practices, such as complexity level, avoiding re-use, and enforcing multi-factor authentication (MFA). If you don't set a custom password policy, IAM user passwords must meet the default AWS password policy.
Resources: GLOBAL: Account::Config
Recommendation: IAM Password Policy

supportPlanLowTier

Operation Excellence

Description: It is recommended that you subscribe to the AWS Business Support tier or higher for all of your AWS production accounts. For more information, refer to Compare AWS Support Plans. If you don't have premium support, you must have an action plan to handle issues which require help from AWS Support. AWS Support provides a mix of tools and technology, people, and programs designed to proactively help you optimize performance, lower costs, and innovate faster. AWS Business Support provides additional benefits including access to AWS Trusted Advisor and AWS Personal Health Dashboard and faster response times.
Resources: GLOBAL: Account::Config
Label: Cost Incurred
Recommendation: AWS Support Plan; Guide

Detail

GLOBAL

1. root_id

Check	Current Value	Recommendation
rootMfaActive	Inactive	Enable MFA on root user

2. kuettai

Check	Current Value	Recommendation
userNotUsingGroup	-	Place IAM user within User Group
InlinePolicy	EpoxyMitigationsDenyAll ss-test-inline	Use managed policies

3. AccessAnalyzerTrustedService

Check	Current Value	Recommendation
unusedRole	1371 days passed	Review & remove inactive roles
InlinePolicy	AccessAnalyzerTrustedServicePolicy	Use managed policies

4. AVMContainersUserRole

Check	Current Value	Recommendation
unusedRole	827 days passed	Review & remove inactive roles
InlinePolicy	AWSContainerAssessmentPolicy	Use managed policies

5. aws-ec2-spot-fleet-tagging-role

Check	Current Value	Recommendation
unusedRole	1663 days passed	Review & remove inactive roles

6. awslogs.prod.kelex.molecule.toppatterns

Check	Current Value	Recommendation
unusedRole	432 days passed	Review & remove inactive roles
InlinePolicy	AWSLogsOptimizerPolicy	Use managed policies

7. AWSReservedSSO_AWSAdministratorAccess_fae89f7963febc98

Check	Current Value	Recommendation
roleLongSession	43200	Review & reduce max session duration
FullAdminAccess	AdministratorAccess	Limit permissions.

8. AWSVAPTAudit

Check	Current Value	Recommendation
unusedRole	1446 days passed	Review & remove inactive roles

9. CloudSecAuditRole

Check	Current Value	Recommendation
unusedRole	362 days passed	Review & remove inactive roles
InlinePolicy	CloudSecAuditPolicy-prod	Use managed policies

10. CloudSeerTrustedServiceRole

Check	Current Value	Recommendation
unusedRole	408 days	Review & remove inactive roles
InlinePolicy	CloudSeerTrustedServicePolicy	Use managed policies

11. CodeDeployRole

Check	Current Value	Recommendation
unusedRole	1663 days passed	Review & remove inactive roles

12. CodeGuruProfilerForwardToAmazonProfiler

Check	Current Value	Recommendation
unusedRole	593 days passed	Review & remove inactive roles
InlinePolicy	CodeGuruProfilerPolicy	Use managed policies

13. CodeStarWorker-dojo-CloudFormation

Check	Current Value	Recommendation
unusedRole	1645 days passed	Review & remove inactive roles
InlinePolicy	CodeStarWorkerCloudFormationRolePolicy	Use managed policies

14. CodeStarWorker-dojo-ToolChain

Check	Current Value	Recommendation
unusedRole	1645 days passed	Review & remove inactive roles
ManagedPolicyFullAccessOneServ	AWSCodeStarFullAccess AWSCodeBuildAdminAccess AWSCodeCommitFullAccess AWSLambdaFullAccess AWSCodeDeployFullAccess AWSElasticBeanstalkFullAccess CloudWatchEventsFullAccess AWSCodePipeline_FullAccess	Limit permissions.
InlinePolicy	ToolChainWorkerPolicy	Use managed policies

15. CodeStarWorker-dojo-WebApp

Check	Current Value	Recommendation
unusedRole	1645 days passed	Review & remove inactive roles
InlinePolicy	CodeStarWorkerBackendPolicy	Use managed policies

16. Cognito_dojoIdPAuth_Role

Check	Current Value	Recommendation
unusedRole	1676 days passed	Review & remove inactive roles
InlinePolicy	oneClick_Cognito_dojoIdPAuth_Role_1606463253534	Use managed policies
InlinePolicyFullAccessOneServ	oneClick_Cognito_dojoIdPAuth_Role_1606463253534	Limit access in policy

17. Cognito_dojoIdPUnauth_Role

Check	Current Value	Recommendation
unusedRole	1676 days passed	Review & remove inactive roles
InlinePolicy	oneClick_Cognito_dojoIdPUnauth_Role_1606463253534	Use managed policies
InlinePolicyFullAccessOneServ	oneClick_Cognito_dojoIdPUnauth_Role_1606463253534	Limit access in policy

18. DocumentUnderstandingSolutionCICD-CICDHelperRole-ERDSGV99V9GT

Check	Current Value	Recommendation
unusedRole	1629 days passed	Review & remove inactive roles

19. DocumentUnderstandingSolutionCICD-CodeBuildRole-26NRX1QIOV08

Check	Current Value	Recommendation
unusedRole	1629 days passed	Review & remove inactive roles
InlinePolicy	document-understanding-reference-architecture-codebuild	Use managed policies

20. DocumentUnderstandingSolutionCICD-CodePipelineRole-12BUYRAKNJIEQ

Check	Current Value	Recommendation
unusedRole	1629 days passed	Review & remove inactive roles

21. DojoEC2AdminRole

Check	Current Value	Recommendation
unusedRole	1669 days passed	Review & remove inactive roles
FullAdminAccess	AdministratorAccess	Limit permissions.

22. EC2AdminRole

Check	Current Value	Recommendation
unusedRole	1740 days passed	Review & remove inactive roles
FullAdminAccess	AdministratorAccess	Limit permissions.
InlinePolicy	QuickSightGetDashboardURL	Use managed policies

23. EC2CapacityReservationService

Check	Current Value	Recommendation
unusedRole	1740 days passed	Review & remove inactive roles

24. IMDSv2-automigrator

Check	Current Value	Recommendation
unusedRole	235 days	Review & remove inactive roles
InlinePolicy	IMDSv2-automigrator	Use managed policies

25. itadmin

Check	Current Value	Recommendation
roleLongSession	43200	Review & reduce max session duration
unusedRole	294 days	Review & remove inactive roles
FullAdminAccess	AdministratorAccess	Limit permissions.

26. OrganizationAccountAccessRole

Check	Current Value	Recommendation
FullAdminAccess	AdministratorAccess	Limit permissions.

27. OrthancRole

Check	Current Value	Recommendation
ManagedPolicyFullAccessOneServ	AmazonGuardDutyFullAccess	Limit permissions.
InlinePolicy	AmazonGuardDutyFullAccess	Use managed policies

28. PACICloudFormationStackSetAdministrationRole

Check	Current Value	Recommendation
unusedRole	294 days	Review & remove inactive roles
InlinePolicy	AssumeRole-PACICloudFormationStackSetExecutionRole	Use managed policies

29. PACICloudFormationStackSetExecutionRole

Check	Current Value	Recommendation
unusedRole	294 days	Review & remove inactive roles
FullAdminAccess	AdministratorAccess	Limit permissions.

30. SaltyTrustedService

Check	Current Value	Recommendation
unusedRole	274 days passed	Review & remove inactive roles
InlinePolicy	SaltyTrustedServicePolicy	Use managed policies

31. ServiceScreenerAssumeRole

Check	Current Value	Recommendation
roleLongSession	14400	Review & reduce max session duration
unusedRole	581 days	Review & remove inactive roles
InlinePolicy	CloudFormationCreateStack	Use managed policies

32. ServiceScreenerAutomationRole

Check	Current Value	Recommendation
unusedRole	145 days	Review & remove inactive roles
FullAdminAccess	AdministratorAccess	Limit permissions.

33. ShadowTrooperRole

Check	Current Value	Recommendation
unusedRole	425 days passed	Review & remove inactive roles
InlinePolicy	ShadowTrooperPolicy-prod	Use managed policies

34. stacksets-exec-7ca18804340a75b25a831ca17fba8659

Check	Current Value	Recommendation
unusedRole	579 days	Review & remove inactive roles
FullAdminAccess	AdministratorAccess	Limit permissions.

35. TurtleRoleManagement

Check	Current Value	Recommendation
unusedRole	531 days passed	Review & remove inactive roles
InlinePolicy	TurtleRoleManagementPolicy	Use managed policies

36. Config

Check	Current Value	Recommendation
enableCURReport		Setup Cost and Usage Report
PartialEnableConfigService	us-east-1	Enable AWS Config
hasAlternateContact	No alternate contacts	Configure AWS account contacts
enableCostBudget		Monitor your AWS spending
passwordPolicy	NoSuchEntity	Set a custom password policy.
supportPlanLowTier		Subscribe to the AWS Business Support tier (or higher)

IAM

36

74

122

37

0

60.517s

Summary

Filter

rootMfaActive

userNotUsingGroup

InlinePolicy

unusedRole

roleLongSession

FullAdminAccess

ManagedPolicyFullAccessOneServ

InlinePolicyFullAccessOneServ

enableCURReport

PartialEnableConfigService

hasAlternateContact

enableCostBudget

passwordPolicy

supportPlanLowTier

Detail

GLOBAL

1. root_id

2. kuettai

3. AccessAnalyzerTrustedService

4. AVMContainersUserRole

5. aws-ec2-spot-fleet-tagging-role

6. awslogs.prod.kelex.molecule.toppatterns

7. AWSReservedSSO_AWSAdministratorAccess_fae89f7963febc98

8. AWSVAPTAudit

9. CloudSecAuditRole

10. CloudSeerTrustedServiceRole

11. CodeDeployRole

12. CodeGuruProfilerForwardToAmazonProfiler

13. CodeStarWorker-dojo-CloudFormation

14. CodeStarWorker-dojo-ToolChain

15. CodeStarWorker-dojo-WebApp

16. Cognito_dojoIdPAuth_Role

17. Cognito_dojoIdPUnauth_Role

18. DocumentUnderstandingSolutionCICD-CICDHelperRole-ERDSGV99V9GT

19. DocumentUnderstandingSolutionCICD-CodeBuildRole-26NRX1QIOV08

20. DocumentUnderstandingSolutionCICD-CodePipelineRole-12BUYRAKNJIEQ

21. DojoEC2AdminRole

22. EC2AdminRole

23. EC2CapacityReservationService

24. IMDSv2-automigrator

25. itadmin

26. OrganizationAccountAccessRole

27. OrthancRole

28. PACICloudFormationStackSetAdministrationRole

29. PACICloudFormationStackSetExecutionRole

30. SaltyTrustedService

31. ServiceScreenerAssumeRole

32. ServiceScreenerAutomationRole

33. ShadowTrooperRole

34. stacksets-exec-7ca18804340a75b25a831ca17fba8659

35. TurtleRoleManagement

36. Config