Rule: Ensure Access Keys Rotation Every 90 Days
This rule requires access keys to be rotated at least every 90 days.
| Rule | Ensure access keys are rotated every 90 days or less |
| Framework | cis_v150 |
| Severity | ✔ Low |
Rule Description
The rule cis_v150 specifies that access keys for users in your environment should be rotated every 90 days or less. Rotating access keys regularly enhances the security of your resources by reducing the potential impact of compromised credentials. This helps protect against unauthorized access and data breaches.
Troubleshooting Steps
If you encounter any issues while implementing this rule, follow these troubleshooting steps:
- 1.Check if the IAM user or role has permission to rotate access keys.
- 2.Verify that the IAM user or role is using the correct API or CLI commands to rotate access keys.
- 3.Confirm that the IAM policies associated with the user or role allow the necessary actions for key rotation.
- 4.Ensure that the access key being used is not currently in use by any active services or applications.
- 5.Double-check if the user or role has reached the maximum number of access keys allowed. If so, delete unused keys before rotating.
Necessary Codes
There are no specific codes required for this rule. However, you can use AWS CLI commands to rotate access keys. The following section provides step-by-step instructions on how to rotate access keys using the AWS CLI.
Step-by-Step Guide for Remediation
To remediate this rule and rotate access keys using the AWS CLI, follow the steps below:
- 1.Open your preferred command-line interface, such as Terminal or Command Prompt.
- 2.Install the AWS CLI if you haven't already by following the instructions provided by AWS (https://aws.amazon.com/cli/).
- 3.Configure the AWS CLI by running the following command and providing your access key ID and secret access key:
aws configure
- 1.Ensure that you have the necessary IAM permissions to modify IAM users or roles.
- 2.List the IAM users in your account by executing the following command:
aws iam list-users
- 1.Identify the user for which you want to rotate access keys and note down the User ID or User Name.
- 2.Rotate the access keys for the identified user by running the following command:
aws iam create-access-key --user-name <User Name or User ID>
- 1.Make a note of the newly generated
andAccessKeyId
displayed as output.SecretAccessKey
Important Note: Remember to store the newly generated access key securely. It is crucial to update any applications or services that are using the old access key with the new one.
- 1.Disable or delete the old access key associated with the user by running the following command:
aws iam update-access-key --access-key-id <Old Access Key ID> --status Inactive --user-name <User Name or User ID>
- 1.Verify that the access keys were successfully rotated by listing the user's access keys using the following command:
aws iam list-access-keys --user-name <User Name or User ID>
- 1.Repeat these steps for each user or role that requires access key rotation.
By following these steps, you will ensure that access keys are regularly rotated every 90 days or less for the specified users or roles in your AWS environment.