How does EchelonGraph detect CIS AWS 1.20 violations?

EchelonGraph automatically detects CIS AWS 1.20 violations using scanner rule CIS-AWS-1-20. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS AWS 1.20?

AWS Support role exists? Who has access? Is admin used for Support cases?

🟠CIS AWS 1.20Rule: CIS-AWS-1-20low

AWS Support role created

Description

Dedicated IAM role for AWS Support access exists with AWSSupportAccess managed policy.

⚠️ Risk Impact

Without a Support role, engineers may use admin credentials to engage AWS Support — exceeding minimum-necessary access.

🔍 How EchelonGraph Detects This

CIS-AWS-1-20Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as low-severity findings with remediation guidance.

🔧 Remediation

Create IAM role with AWSSupportAccess managed policy. Assign to support engineers who need it.

💀 Real-World Attack Scenario

Engineers used admin credentials to engage AWS Support for routine issues. Compromise of any of those credentials granted admin access where Support-only would have sufficed.

💰 Cost of Non-Compliance

Low-frequency control; supports least-privilege.

📋 Audit Questions

1.AWS Support role exists?
2.Who has access?
3.Is admin used for Support cases?

⚡ Common Pitfalls

⛔Admin used for Support cases (over-privilege)
⛔Support role granted broadly (under-restriction)

📈 Business Value

Support role demonstrates least-privilege maturity + reduces credential exposure.

⏱️ Effort Estimate

Manual

10 minutes setup

With EchelonGraph

EchelonGraph audits role existence

🔗 Cross-Framework References

NIST-AC-6

Automate CIS AWS 1.20 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →