Profile Applicability

Level 2

Description:

A Security Audit role in AWS is an IAM role that provides security teams with read-only access to review configurations, access permissions, and security-related activities across AWS accounts. It helps ensure compliance with governance policies, detect misconfigurations, and identify unauthorized access attempts. This role enhances security visibility, compliance checks, and overall organizational security posture.

Rationale:

High Visibility: Provides security teams with visibility into AWS resources and their configurations.
Compliance Assurance: Meets regulatory and compliance requirements, such as PCI DSS, ISO 27001, and CIS benchmarks.
Proactive Identification: Enables early identification of security vulnerabilities and policy violations.
Security Governance: Improves governance by ensuring adherence to security best practices.

Impact:

Pros

Facilitates security audits with detailed insights into AWS resource usage and permissions.
Improves security monitoring and governance.
Reduces risk of unauthorized access and misconfigurations.
Enhances incident detection and response capabilities.

Cons

Requires proper configuration to prevent excessive permissions.
May require ongoing maintenance for policy updates.

Default Value:

AWS does not create a Security Audit role by default. This role must be created manually or deployed using automation tools.

Pre-Requisites:

IAM Permissions:

iam:CreateRole
iam:AttachRolePolicy
iam:UpdateAssumeRolePolicy
AWS CLI installed and configured.

Remediation:

Test Plan:

Using AWS Console:

Sign in to the AWS Management Console.
Navigate to the IAM Console → Roles.
Search for a role named SecurityAudit.
Verify that the role has the AWS SecurityAudit Managed Policy attached.
Check the role’s trust relationship to ensure it’s assigned to security personnel or services.

Using AWS CLI:

List all roles and search for SecurityAudit:

aws iam list-roles | grep "SecurityAudit"

Verify the attached policy:

aws iam get-role-policy --role-name SecurityAudit --policy-name SecurityAudit

Confirm the trust relationship allows intended users or services to assume the role.

Implementation Steps:

Using AWS Console:

Sign in to the AWS Management Console.
Navigate to the IAM Console.
Click on Roles, then select Create Role.
Select AWS Service and choose Security Audit as the use case.
Attach the managed policy SecurityAudit.
Configure the trust relationship for required users or services.
Save and validate the configuration.

Using AWS CLI:

Create the Security Audit role:
aws iam create-role --role-name SecurityAudit --assume-role-policy-document file://trust-policy.json

Attach the AWS-managed Security Audit policy:
aws iam attach-role-policy --role-name SecurityAudit --policy-arn arn:aws:iam::aws:policy/SecurityAudit

Verify the role creation:
aws iam get-role --role-name SecurityAudit

Backout Plan:

Using AWS Console:

Sign in to the AWS Management Console.
Navigate to IAM Console → Roles.
Search for the SecurityAudit role in the list of roles.
Select the role to open its details.
Detach any attached policies:
- Go to the Permissions tab.
- Click on the attached SecurityAudit policy and select Detach policy.
Delete the role:
- Go to the Trust relationships tab.
- Click Actions → Delete role.

Using AWS CLI:

Detach the attached policies:

aws iam detach-role-policy --role-name SecurityAudit --policy-arn arn:aws:iam::aws:policy/SecurityAudit

Delete the role:

aws iam delete-role --role-name SecurityAudit

References:

AWS IAM Security Audit Role Documentation
CIS Critical Security Controls v8 IG1

CIS Controls:

Version	Control ID	Control Description	IG1	IG2	IG3
v8	5.3	Securely Manage Network Infrastructure – Ensure security roles provide visibility into resource configurations.	●	●	●
v8	13.2	Ensure Secure Network Communication – Assign security roles to monitor secure access and activity logs.	●	●	●
v7	16.4	Detect Security Misconfigurations – Use roles to identify and address policy violations or unauthorized access.	●	●	●

Ensure a Security Audit Role Has Been Created to Conduct Security Audits Print

Profile Applicability

Level 2

Description:

Rationale:

High Visibility: Provides security teams with visibility into AWS resources and their configurations.

Compliance Assurance: Meets regulatory and compliance requirements, such as PCI DSS, ISO 27001, and CIS benchmarks.

Proactive Identification: Enables early identification of security vulnerabilities and policy violations.

Security Governance: Improves governance by ensuring adherence to security best practices.

Impact:

Pros

Facilitates security audits with detailed insights into AWS resource usage and permissions.

Improves security monitoring and governance.

Reduces risk of unauthorized access and misconfigurations.

Enhances incident detection and response capabilities.

Cons

Requires proper configuration to prevent excessive permissions.

May require ongoing maintenance for policy updates.

Default Value:

AWS does not create a Security Audit role by default. This role must be created manually or deployed using automation tools.

Pre-Requisites:

IAM Permissions:

iam:CreateRole

iam:AttachRolePolicy

iam:UpdateAssumeRolePolicy

AWS CLI installed and configured.

Remediation:

Test Plan:

Using AWS Console:

Sign in to the AWS Management Console.

Navigate to the IAM Console → Roles.

Search for a role named SecurityAudit.

Verify that the role has the AWS SecurityAudit Managed Policy attached.

Check the role’s trust relationship to ensure it’s assigned to security personnel or services.

Using AWS CLI:

List all roles and search for SecurityAudit:

Verify the attached policy:

Confirm the trust relationship allows intended users or services to assume the role.

Implementation Steps:

Using AWS Console:

Sign in to the AWS Management Console.

Navigate to the IAM Console.

Click on Roles, then select Create Role.

Select AWS Service and choose Security Audit as the use case.

Attach the managed policy SecurityAudit.

Configure the trust relationship for required users or services.

Save and validate the configuration.

Using AWS CLI:

Create the Security Audit role:aws iam create-role --role-name SecurityAudit --assume-role-policy-document file://trust-policy.json

Attach the AWS-managed Security Audit policy:aws iam attach-role-policy --role-name SecurityAudit --policy-arn arn:aws:iam::aws:policy/SecurityAudit

Verify the role creation:aws iam get-role --role-name SecurityAudit

Backout Plan:

Using AWS Console:

Sign in to the AWS Management Console.

Navigate to IAM Console → Roles.

Search for the SecurityAudit role in the list of roles.

Select the role to open its details.

Detach any attached policies:

Go to the Permissions tab.

Click on the attached SecurityAudit policy and select Detach policy.

Delete the role:

Go to the Trust relationships tab.

Click Actions → Delete role.

Using AWS CLI:

Detach the attached policies:

Delete the role:

References:

AWS IAM Security Audit Role Documentation

CIS Critical Security Controls v8 IG1

CIS Controls:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure security roles provide visibility into resource configurations.

●

Create the Security Audit role:
aws iam create-role --role-name SecurityAudit --assume-role-policy-document file://trust-policy.json

Attach the AWS-managed Security Audit policy:
aws iam attach-role-policy --role-name SecurityAudit --policy-arn arn:aws:iam::aws:policy/SecurityAudit

Verify the role creation:
aws iam get-role --role-name SecurityAudit