IAM specific configurations and adherence

[ganesh29072]

Metrics proposal from Sriganesh Chandrasekaran:

Just a suggestion: There should be specific adherence related metrics around number of configurations (/ misconfigurations) tracing back to the IAM access policy setup for the cloud assets in each of the prod and non-prod regions. The configurations setup should fully cover the overarching policies that are setup at resource level in the cloud.

I can go through the metrics and see if there are any additional feedback that I can give around the above.

[pritikin]

This sounds like a proposed CCC-07 metric ("Implement detection measures with proactive notification in case of changes deviating from the established baseline").

CCC-07-M1 measures "the percent of positive test results from all configuration tests performed". This would be a subset of CCC-07-M1 focusing only on tests that access policy is met? e.g.

CCC-07-M2 measures "the percent of positive test results from [IAM access policy] configuration tests performed"?

I agree with the statement that configuration tests "should fully cover the overarching policies". This feels like a unique and distinct metric suggestion. e.g.

CCC-07-M3 measures "the percent of normative statements in [IAM access policy] that have an associated configuration test"?

(We could do one per domain or one for all policies)