What could be the reason for the noncompliant status?

By:
On:
In: SCS-C01
Tagged:
With: 0 Comments
A security engineer recently rotated all IAM access keys in an AWS account.The security engineer then configured AWS Config and enabled the following AWSConfig managed rules; mfa-enabled-for-iam-console-access, iam-user-mfa-enabled, access-key-rotated, and iam-user-unused-credentials-check.The security engineer notices that all resources are displaying as noncompliant after the IAM GenerateCredentialReport API operation is invoked.

What could be the reason for the noncompliant status?

The IAM credential report was generated within the past 4 hours.

The security engineer does not have the GenerateCredentialReport permission.

The security engineer does not have the GetCredentialReport permission.

The AWS Config rules have a MaximumExecutionFrequency value of 24 hours.

Explanations:

The IAM credential report is updated every 4 hours. If generated within this period, AWS Config rules using it for compliance evaluation may reflect outdated results.

Lacking GenerateCredentialReport permission would prevent report creation but would not cause noncompliance if a report was successfully generated by someone else.

GetCredentialReport permission controls access to the report but does not affect the compliance status of the rules based on IAM user activity.

MaximumExecutionFrequency of 24 hours only impacts the rule check frequency; it does not directly cause a noncompliant status for all resources.

Leave a Reply

Your email address will not be published. Required fields are marked *

3 × one =