IAM User Access Key Rotation Rule
This rule states that IAM user access keys should be rotated every 90 days to enhance security.
| Rule | IAM user access keys should be rotated at least every 90 days |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Low |
Rule Description:
The rule requires that IAM user access keys be rotated at least every 90 days to comply with the FedRAMP Low Revision 4 security requirements. Access keys are used by IAM users to authenticate and access AWS services. Rotating access keys regularly minimizes the risk of unauthorized access and potential security breaches.
Troubleshooting Steps:
If access keys are not rotated within the specified timeframe, the following troubleshooting steps can be followed:
- 1.Identify IAM users: Determine which IAM users have access keys that need to be rotated.
- 2.Review access key age: Check the creation date of each access key to identify those that have exceeded the 90-day rotation period.
- 3.Notify affected users: Inform the relevant IAM users that their access keys need to be rotated.
- 4.Disable old access keys: Once new access keys have been generated, disable the old keys to prevent their further use.
- 5.Verify access key functionality: Confirm that the new access keys are functional and provide the necessary permissions to access the required resources.
Necessary Code:
The following is an example of code that can be used to rotate IAM user access keys:
# Getting a list of IAM users aws iam list-users # Rotating an IAM user's access key aws iam create-access-key --user-name <IAM_USER_NAME> # Make note of the new AccessKeyId and SecretAccessKey values # Disabling an IAM user's old access key aws iam update-access-key --access-key-id <OLD_ACCESS_KEY_ID> --status Inactive --user-name <IAM_USER_NAME>
Step-by-Step Guide for Remediation:
- 1.
Identify the IAM users: Use the AWS CLI command
to retrieve a list of IAM users within your AWS account.aws iam list-users - 2.
Determine access key age: Review the creation date of each access key for the IAM users identified in step 1. Calculate the duration since the access keys were last rotated.
- 3.
Rotate access keys: For each IAM user whose access keys have exceeded the 90-day rotation period, generate new access keys using the AWS CLI command
. Make note of the new AccessKeyId and SecretAccessKey values.aws iam create-access-key --user-name <IAM_USER_NAME> - 4.
Disable old access keys: To prevent the use of old access keys, disable them using the AWS CLI command
. Replaceaws iam update-access-key --access-key-id <OLD_ACCESS_KEY_ID> --status Inactive --user-name <IAM_USER_NAME>
with the ID of the old access key and<OLD_ACCESS_KEY_ID>
with the IAM user's name.<IAM_USER_NAME> - 5.
Test new access keys: Ensure that the new access keys are properly configured and provide the necessary permissions by attempting to access the required AWS resources or services using the new access keys. If there are any issues, verify the IAM user's permissions and troubleshoot accordingly.
- 6.
Repeat steps 3-5 for any other IAM users identified in step 2.
By following these steps, you can ensure that IAM user access keys are rotated within the required timeframe, meeting the FedRAMP Low Revision 4 security requirement.