Description:

This policy enables screen capture of the members of the domain and enterprise administrators groups. This can be used to monitor the activity of these users and to detect potential security threats.

Rationale:

The ability to monitor the activity of high-privileged users is essential for maintaining the security of an AWS environment. This policy provides a valuable tool for doing so by enabling screen capture of the members of the domain and enterprise administrators groups.

Impact:

Enabling this policy will have no impact on the availability or performance of AWS resources. However, it will increase the amount of data that is stored in AWS.

Default Value:

AWS will not enable this policy by default.

Pre-requisites:

  • The user must have the appropriate permissions to enable this policy.
  • The user must have access to the AWS Management Console or the AWS CLI.
  • The user must have a screen capture tool installed on their computer.

Remediation Steps:

To disable this policy, the user can follow these steps:

  1. In the AWS Management Console, navigate to the IAM & Admin page.
  2. Click on the Policies tab.
  3. Select the policy that you want to disable.
  4. Click on the Disable button.

Test Plan:

To test this policy, the user can follow these steps:

  1. Enable the policy.
  2. Capture a screen shot of the members of the domain and enterprise administrators groups.
  3. Verify that the screen shot is accurate and complete.

Implementation Plan:

To implement this policy, the user can follow these steps:

  1. Enable the policy.
  2. Capture screen shots of the members of the domain and enterprise administrators groups on a regular basis.
  3. Review the screen shots to ensure that there is no suspicious activity.

AWS CLI Process:

To enable this policy using the AWS CLI, the user can run the following command:

aws iam update-policy --policy-name <policy-name> --policy-document file://<policy-document-file>

The policy-document-file file should contain the following JSON:

{  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Action": "iam:StartScreenCapture",      "Resource": "*"    }  ] }

Using AWS GUI:

To enable this policy using the AWS GUI, the user can follow these steps:

  1. In the AWS Management Console, navigate to the IAM & Admin page.
  2. Click on the Policies tab.
  3. Select the policy that you want to enable.
  4. Click on the Edit button.
  5. In the Policy Document section, paste the following JSON:
{  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Action": "iam:StartScreenCapture",      "Resource": "*"    }  ] }
  1. Click on the Save button.

Backout Plan:

To revoke this policy, the user can follow these steps:

  1. In the AWS Management Console, navigate to the IAM & Admin page.
  2. Click on the Policies tab.
  3. Select the policy that you want to revoke.
  4. Click on the Delete button.

Note:

  • This policy is not required for all AWS environments.
  • The user should review the screen shots to ensure that there is no suspicious activity.
  • The user should revoke this policy if it is no longer needed.

Reference:

  • AWS IAM Policy Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
  • AWS CLI Command Reference: https://docs.aws.amazon.com/cli/latest/reference/iam/

Section 2:

  • Tags: screen, capture, domain, administrator, audit
  • Keywords: IAM, policy, audit, compliance