Do Not Setup Access Keys Rule
This rule prevents setting up access keys during initial user setup for IAM users with console password.
| Rule | Do not setup access keys during initial user setup for all IAM users that have a console password |
| Framework | cis_v130 |
| Severity | ✔ High |
Rule: Do Not Setup Access Keys During Initial User Setup for All IAM Users That Have a Console Password (CIS v1.3.0)
Description
This rule stipulates that when creating a new IAM (Identity and Access Management) user in AWS, access keys should not be generated if the user is assigned a console password. The intent is to enforce the principle of least privilege and ensure that users employ the most secure authentication method appropriate for their type of access. Access keys provide programmatic access to AWS services and can be potentially more vulnerable if not managed correctly. Console passwords, on the other hand, are intended for use with the AWS Management Console.
When adhering to the Center for Internet Security (CIS) AWS Foundations Benchmark version 1.3.0, this rule helps to minimize the risk of unauthorized access by reducing the number of active credentials that could potentially be compromised.
Troubleshooting Steps
If you find that IAM users have both access keys and console passwords, follow these steps:
- 1.
Identify Compromised Accounts:
- Check for any unauthorized activity that may have occurred using the access keys.
- 2.
Revoke Unnecessary Credentials:
- Log into the AWS Management Console.
- Navigate to the IAM dashboard.
- Select "Users" from the navigation pane.
- Choose the user with both types of credentials.
- Click on the "Security credentials" tab.
- Under the Access keys section, make a note of the access key IDs, then delete them.
- Inform the user about the removal of access keys and advise on using the console login.
- 3.
Review IAM Policies:
- Ensure that IAM policies applied to users do not allow them to create access keys if they are intended to log in via the console only.
Necessary Codes
To enforce this rule programmatically, you can use AWS CLI commands or scripts. Below are some examples:
Bash Script for Automated Checking
#!/bin/bash # Retrieves a list of all IAM users with a console password and checks for access keys users_with_console_password=$(aws iam list-users --query 'Users[?PasswordLastUsed!=null].UserName' --output text) for user in $users_with_console_password; do # Find if the user has access keys access_keys=$(aws iam list-access-keys --user-name "$user" --query 'AccessKeyMetadata[*].AccessKeyId' --output text) if [ -n "$access_keys" ]; then echo "User $user has access keys: $access_keys" # Any desired action can be added here, like disabling or deleting the access keys fi done
AWS CLI Command to Delete Access Keys
# Replace <UserName> with the actual IAM user name and <AccessKeyID> with the key you want to delete aws iam delete-access-key --user-name <UserName> --access-key-id <AccessKeyID>
Step by Step Guide for Remediation
- 1.
List IAM Users with a Console Password:
aws iam list-users --query 'Users[?PasswordLastUsed!=null].[UserName]' --output table - 2.
Check for Access Keys: For each user listed, run the following command to list their access keys:
aws iam list-access-keys --user-name <UserName> - 3.
Delete Unnecessary Access Keys: If a user should not have access keys, delete them with the following command:
aws iam delete-access-key --user-name <UserName> --access-key-id <AccessKeyID>
By implementing these steps, you can help ensure your AWS environment complies with the CIS AWS Foundations Benchmark and follows security best practices. Make sure to maintain an audit log of your actions for accountability and potential troubleshooting in the future.