Rule: Do Not Setup Access Keys During Initial User Setup
This rule prohibits setting up access keys during initial user setup to enhance security measures.
| Rule | Do not setup access keys during initial user setup for all IAM users that have a console password |
| Framework | cis_v140 |
| Severity | ✔ Low |
Rule: Do Not Set Up Access Keys During Initial User Setup for IAM Users with Console Password (CIS v1.4.0)
Brief Description
In line with the Center for Internet Security (CIS) AWS Foundations Benchmark v1.4.0, it's recommended that IAM users that have a console password should not have access keys set up during initial creation. This policy aims to reduce the risk of unauthorized access to AWS resources by ensuring that users access the AWS Management Console using a password and Multi-Factor Authentication (MFA), rather than access keys that could be potentially leaked or mishandled.
Troubleshooting Steps
If access keys are accidentally setup, follow these troubleshooting steps:
Identify Users with Both Console Access and Access Keys
- 1.Log in to the AWS Management Console.
- 2.Navigate to the IAM dashboard.
- 3.In the IAM dashboard, search for users and filter by those with 'Console access'.
- 4.From the list, identify users that also have 'Access key ID' listed under the 'Security credentials' tab.
Deactivate or Delete the Unnecessary Access Keys
- 1.For each identified user, click on the user name to go to their details page.
- 2.Under the 'Security credentials' tab, find the 'Access keys' section.
- 3.If deactivation is appropriate, click 'Make inactive' for the key listed.
- 4.If deleting is preferred or recommended, click 'Delete' to remove the key entirely.
Step by Step Guide for Remediation
Deactivate Access Keys
To deactivate a user's access keys via the AWS CLI:
aws iam update-access-key --access-key-id [ACCESS_KEY_ID] --status Inactive --user-name [USER_NAME]
Replace
[ACCESS_KEY_ID][USER_NAME]Delete Access Keys
To delete a user's access keys via the AWS CLI:
aws iam delete-access-key --access-key-id [ACCESS_KEY_ID] --user-name [USER_NAME]
Again, replace
[ACCESS_KEY_ID][USER_NAME]Enforce the Rule Moving Forward
Further automate the future compliance with this policy by creating an IAM policy that explicitly denies the 'iam:CreateAccessKey' action when the request also includes a console password.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "iam:CreateAccessKey",
"Resource": "*",
"Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": "false"}}
}
]
}
Attach this IAM policy to all IAM users to ensure compliance with the rule.
By adhering to these detailed steps and enforcing this policy, you can enhance the security posture of your AWS environment as recommended by the CIS benchmarks. Remember, maintaining your AWS environment's security is a continuous process, and proactive enforcement of such policies will significantly reduce the potential attack surface.