Ensure Access Keys Rotation Rule
This rule ensures access keys are rotated every 90 days or less to enhance security measures.
| Rule | Ensure access keys are rotated every 90 days or less |
| Framework | cis_v140 |
| Severity | ✔ Low |
Ensure Access Keys Are Rotated Every 90 Days or Less for CIS_v1.4.0
Overview
The Center for Internet Security (CIS) Amazon Web Services (AWS) Foundations Benchmark v1.4.0 mandates that access keys be rotated every 90 days or less. This practice is a key security measure that helps to limit the window of opportunity for an access key that has been compromised without your knowledge to be exploited.
Why Rotate Access Keys
Rotating access keys minimizes the risk associated with key leaks or unauthorized use. If keys are not regularly rotated, they could be used by malicious actors to gain prolonged access to your AWS resources, potentially leading to data breaches, service disruptions, or financial loss.
Troubleshooting Steps
Checking Access Key Age
- 1.Navigate to the AWS Management Console.
- 2.Open the IAM (Identity and Access Management) dashboard.
- 3.Click on "Users."
- 4.Choose the user whose keys you want to evaluate.
- 5.Open the "Security credentials" tab.
- 6.Identify the 'Access keys' section and check the "Created date" for each key.
If the age of a key is 90 days or older, it should be considered for rotation immediately.
Rotating Access Keys
- 1.Create a new access key for the user:
aws iam create-access-key --user-name <your-username>
- 1.Update any applications or services that use the old access key with the new one.
- 2.Deactivate the old access key:
aws iam update-access-key --access-key-id <old-access-key-id> --status Inactive --user-name <your-username>
Wait and monitor to ensure that rotating the key does not affect any services. If no issues arise:
- 1.Delete the old access key:
aws iam delete-access-key --access-key-id <old-access-key-id> --user-name <your-username>
Remediation Steps
Via AWS Management Console
- 1.Log into the AWS Management Console.
- 2.Navigate to the IAM service.
- 3.Click on "Users" and select the appropriate user.
- 4.Go to the "Security Credentials" tab.
- 5.Under the "Access Keys" section, click "Create Access Key."
- 6.Replace the access key in all applications and services.
- 7.Deactivate the old access key by clicking "Make Inactive."
- 8.After ensuring no service interruptions, delete the old access key.
Via AWS CLI
- 1.List the access keys for an IAM user:
aws iam list-access-keys --user-name <your-username>
- 1.Rotate the keys using the steps provided in the troubleshooting steps' CLI commands.
Automation Using AWS CLI or SDKs
You can automate the monitoring and rotation process by scripting the necessary AWS CLI commands or using one of the AWS SDKs to develop a custom solution that alerts you when keys are due for rotation and potentially rotates the keys automatically.
Best Practices
- Always use IAM roles for EC2 instances rather than passing access keys.
- Regularly review and monitor IAM credentials reports for all users.
- Enable AWS CloudTrail to log API calls for auditing purposes.
- Use Multi-Factor Authentication (MFA) for additional security.
Conclusion
Rotating AWS access keys regularly is an important security measure and a requirement of the CIS AWS Foundations Benchmark v1.4.0. Adherence to this rule helps ensure that the potential window for key exploitation is minimal, thus maintaining your AWS environment's security integrity. By integrating key rotation into your regular security audit procedures and possibly automating the rotation process, your organization can support a strong security posture within your cloud environment.