AWS_IAM_53

Ensure second access key is rotated every 45 days or less

Description

Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.
Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.

Remediation

From Portal:
1. Login to the AWS Management Console: https://console.aws.amazon.com/
2. Click Services
3. Click IAM
4. Click on Users
5. Select on the relevant user
6. Click on Security Credentials
7. Click ‘Make inactive’
8. Go to the inactive Accesskey and click on Delete.

From Command Line:

1. To inactive the old access key, run:

aws iam update-access-key –access-key-id ACCESS_KEY_ID –status Inactive –user-name USER_NAME

2. To delete the old access key, run:

aws iam delete-access-key –access-key ACCESS_KEY_ID –user-name USER_NAME

References:
1. https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey_CLIAPI’
3. http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

Service

IAM

Severity

Low

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!