Platform: AWS
| Category | Criteria Name | Supported | Notes | Caveats |
|---|---|---|---|---|
| Authentication & Authorization | API Key Management | True | While IAM doesn't directly manage API keys in the same way some other platforms do, it provides the foundation for secure access that can generate and control access using Access Keys which should be rotated regularly. Using these keys directly is discouraged and IAM roles are the better approach. | API keys are less secure than other forms of access; best practice is to use IAM roles. |
| Authentication & Authorization | IAM Integration | True | IAM is AWS's identity and access management service, providing granular access control via roles, policies, and permissions. This is its core functionality. | |
| Authentication & Authorization | MFA | True | AWS IAM supports multi-factor authentication (MFA) for users and administrators via various methods, including virtual MFA devices and hardware tokens. MFA is highly recommended and often required for enhanced security. | |
| Authentication & Authorization | Service Account Support | True | AWS IAM supports the use of IAM roles for service accounts, enabling programmatic access with granular permission controls. This allows for least privilege access models for applications and services. | |
| Authentication & Authorization | Standard Protocols | True | AWS IAM supports various standard protocols including HTTPS for API interactions. While not directly using OAuth 2.0/OpenID Connect for user authentication at the IAM level itself, it integrates with services that utilize those protocols. | |
| Compliance & Certifications | Compliance Documentation | True | AWS provides extensive compliance documentation and reports, including details related to IAM. | |
| Compliance & Certifications | Industry Certifications | True | AWS IAM is part of the larger AWS ecosystem, which holds numerous industry certifications (e.g., ISO 27001, SOC 2, etc.). The specifics should be checked in their compliance documentation. | Specific certifications vary; refer to AWS compliance documentation. |
| Data Loss Prevention (DLP) | Data Masking/Redaction | False | Data masking and redaction are not features of IAM itself. These functionalities are handled by other AWS services integrated with the applications that use IAM. | IAM does not provide data masking or redaction; this must be done at the application level. |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | False | IAM does not directly integrate with DLP services. Data loss prevention needs to be implemented at the application layer using other AWS services. | IAM doesn't have built-in DLP features; requires integration with other services. |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | True | AWS IAM, in conjunction with other AWS services like VPC and S3, enables control over data transfer between regions. IAM policies control user access to resources, thereby regulating cross-region data access. Careful management of AWS account structure and the use of services like AWS Organizations help enforce data residency rules. | Requires careful configuration of IAM policies and AWS resource boundaries. |
| Data Residency & Sovereignty | Data Location Transparency | True | AWS provides detailed documentation on data center locations and regions. While IAM data is not explicitly pinpointed to a single location within a region, it follows the standard AWS regional structure. | |
| Data Residency & Sovereignty | Region Selection | True | AWS IAM is a global service, but resources created using IAM are tied to specific AWS regions. Users can select regions to meet data residency requirements by creating their users and other IAM resources in the desired region. Data related to IAM is replicated across multiple AWS regions for high availability and resilience. | |
| Encryption | Encryption at Rest | True | AWS IAM data is encrypted at rest using AWS-managed keys. While AWS doesn't offer direct customer-managed key (CMEK) integration within IAM itself, customers can use KMS to manage keys for services that interact with IAM data. The concept of Customer-supplied keys (CSEK) is not directly applicable to AWS IAM in the same way as it might be with other storage services. | Customer-supplied key management requires additional configuration and services. |
| Encryption | Encryption in Transit | True | AWS IAM utilizes HTTPS (TLS/SSL) for all communication between clients and the IAM service. The specific TLS versions and cipher suites are managed by AWS and generally adhere to industry best practices. While not explicitly configurable by the end-user at the level of detail requested by the criterion, AWS regularly updates to maintain security. | |
| Logging & Monitoring | Access Logging | True | CloudTrail logs provide detailed information about access attempts to IAM resources, including successful and failed requests. This information can be used for security monitoring and analysis. | Requires configuration of CloudTrail. |
| Logging & Monitoring | Audit Logging | True | AWS CloudTrail provides audit logs for API calls made to IAM and other AWS services. This offers a comprehensive audit trail of IAM activities. | |
| Logging & Monitoring | Log Retention | True | CloudTrail log retention policies can be configured to specify how long logs are stored. Users have control over the duration of log retention. | Requires configuration of CloudTrail. |
| Logging & Monitoring | Monitoring & Alerting | True | AWS CloudWatch can be used to monitor IAM activity and create alerts based on specific criteria. Metrics on usage and potential security issues are provided. | Requires configuration of CloudWatch. |
| Network Security | API Gateway Integration | True | IAM can be used for authentication and authorization of requests through AWS API Gateway. API Gateway can then be used to implement additional security measures. | Requires configuring API Gateway; IAM does not natively integrate directly. |
| Network Security | DDoS Protection | True | AWS IAM benefits from AWS's overall DDoS protection infrastructure, which is not configurable directly but is implicitly in place. It is a global service and thus AWS protects the service itself from DDoS attacks. | DDoS protection is handled by AWS infrastructure and services. |
| Network Security | Firewall Rules | True | IAM's security relies heavily on network security controls implemented at the VPC level through security groups and network ACLs. These rules control access to the resources that use IAM for authentication. | Firewall rules are managed at the network level (e.g., VPC security groups, NACLs), not directly within IAM. |
| Network Security | Private Access | True | IAM integrates with AWS VPC allowing for private connectivity to IAM resources. The IAM API can be accessed through a private network. | Requires configuration of VPC and related services. |
| Secure Development Lifecycle (SDL) | API Design Principles | True | AWS IAM is developed following industry best practices for secure API design. Although the internal details aren't explicitly shared, their commitment to security suggests they adhere to secure design principles. | AWS does not publicly share detailed design specifics. |
| Secure Development Lifecycle (SDL) | Code Review & Testing | True | AWS employs secure coding practices and conducts security testing during its development lifecycle. While specifics aren't publicly available, their reputation for secure services strongly suggests a robust SDL process. | Details of the internal SDL process aren't publicly disclosed. |
| Vulnerability Management & Patching | Security Updates | True | AWS IAM benefits from AWS's overall commitment to security updates and patching. AWS regularly updates its infrastructure and services to address vulnerabilities. | Updates are managed by AWS, not directly configurable by the end user. |
| Vulnerability Management & Patching | Vulnerability Scanning | True | AWS performs regular security assessments and penetration testing of its services, including IAM. The specifics of these scans are not publicly available but are part of AWS's overall security posture. | AWS performs internal vulnerability scans; direct customer access to scan results is limited. |