Are there more than 3 admins on the account?
It is hard to manage security goals when there too many admins as chances of mistakes increases. Recommended is to have maximum 3 admins for your account.
Do you use IAM groups for grant and manage permissions?
When we use IAM groups to grant access to IAM users then it will be easy to manage access control
Are there any EC2 instances without IAM Instance Profile?
We should use IAM Instance profile roles for granting EC2 instances access to other AWS resources. Recommended to assign IAM instance profile to EC2 instances instead of hard coding IAM credentials
Are there cross account roles without ExternalId?
Recommended to use ExternalId for roles which give access to third party accounts. Read more https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
Are there any root user access keys active?
Root user access keys are unrestrictable hence shouldn't be used as damage will be determental if they gets leaked. Recommended to delete and never user root user access keys
Is MFA enabled for all the users who have console access?
All the user with console access, especially the root user should always use MFA when they login via AWS console as access can't be restricted so damage caused by leakage will be determental
Do you rotate the user keys periodically and they are not old more than 90 days?
Are there any user access keys unused?
Are there any keys which are not used by any service?
Unused keys are security risk and should be deleted.
Do you have a documented password policy?
It is important to have secure password policy as leaked or weak passwords can give direct access to attackers
Password length should at least 8
Strong password requires symbols
Strong password requires numbers
Strong password requires upper case letters
Strong password requires lower case letters
Does the password expires after certain duration of time which is notmore than 90 days?
New password shouldn't be same as at least last 3 used passwords