Rule: Ensure Only One Active Access Key per IAM User
This rule ensures that each IAM user has only one active access key at a time.
| Rule | Ensure there is only one active access key available for any single IAM user |
| Framework | cis_v150 |
| Severity | ✔ High |
Ensure There is Only One Active Access Key Available for Any Single IAM User (CIS v1.5.0)
Description of the Rule
In AWS Identity and Access Management (IAM), users can have access keys that enable them to make programmatic requests to AWS. These keys are used when interacting with AWS services through the API, CLI, or SDK tools. The Center for Internet Security (CIS) AWS Foundations Benchmark version 1.5.0 recommends that IAM users should have only one active access key at any given time. This reduces the risk of old or unrotated keys being used maliciously if they are forgotten or not deactivated.
Troubleshooting Steps
If an IAM user has more than one active access key, it could pose a security risk. To troubleshoot and resolve this, follow these steps:
- 1.Identify users with more than one active access key.
- 2.Determine the necessity of each key.
- 3.Schedule key rotation if both keys are currently needed.
- 4.Deactivate or delete the unnecessary or older keys.
Necessary CLI Commands
To enforce this rule, you can use the AWS Command Line Interface (CLI). Below is a step-by-step guide.
Step 1: List All IAM Users
aws iam list-users --output table
Step 2: Get a List of Access Keys for Each User
aws iam list-access-keys --user-name <UserName>
Replace
<UserName>Step 3: Evaluate Access Key Metadata
For each user, check the
CreateDateStep 4: Deactivate an Access Key
aws iam update-access-key --access-key-id <AccessKeyId> --user-name <UserName> --status Inactive
Replace
<AccessKeyId><UserName>Step 5: Delete an Access Key
To delete the access key entirely:
aws iam delete-access-key --access-key-id <AccessKeyId> --user-name <UserName>
Again, replace
<AccessKeyId><UserName>Step by Step Guide for Remediation
- 1.List All IAM Users and Keys: Use the CLI commands to generate a list of all IAM users and their access keys.
- 2.Review Access Keys: Examine the list and look for users with more than one active access key.
- 3.Consult With Key Owners: Contact the owners of these IAM accounts and verify whether both keys are required.
- 4.Plan Key Rotation: If both keys are necessary, plan an immediate rotation and deactivation schedule.
- 5.Deactivate or Delete Extra Keys: Use the CLI to deactivate or delete the unnecessary keys, following the principle of least privilege.
Please note that this rule does not address access key creation policies, which should be governed by an organization's internal security policies, including the process for key generation, distribution, rotation, and deactivation. It is also important to ensure that you have the necessary permissions to perform these actions and that you communicate any changes with the affected IAM user to avoid disrupting their workflow.