IAM User Access Key Rotation Rule
This rule states that IAM user access keys should be rotated at least every 90 days.
| Rule | IAM user access keys should be rotated at least every 90 days |
| Framework | General Data Protection Regulation (GDPR) |
| Severity | ✔ Low |
Rule Description
IAM user access keys should be rotated at least every 90 days to comply with the General Data Protection Regulation (GDPR). This rule ensures that access keys used by IAM users to access AWS services are regularly refreshed, reducing the risk of unauthorized access and potential data breaches.
Access keys are long-term credentials associated with an IAM user that allow programmatic access to AWS services. Rotating these keys periodically improves the security posture of AWS accounts and aligns with GDPR requirements.
Troubleshooting Steps
If an IAM user's access keys are not rotated within the specified time period, the following troubleshooting steps can be taken:
- 1.Verify Access Key Rotation Policy: Check the IAM policy and validate that the access key rotation policy is correctly configured to enforce key rotation every 90 days.
- 2.Identify Affected Users: Determine which IAM users have access keys and validate if any have keys that have exceeded the 90-day rotation period.
- 3.Notify Users: Send notifications to affected IAM users, reminding them to rotate their access keys within the defined timeframe.
- 4.Monitor Compliance: Regularly monitor access key rotation compliance using AWS Config or a custom script to identify any users who have not rotated their keys within 90 days.
- 5.Disable Inactive Keys: Disable any access keys that have surpassed the 90-day rotation period and have not been updated by the IAM users.
- 6.Revoke Unauthorized Keys: Remove any access keys that were not assigned by the account owner, ensuring that only authorized access keys are active.
Necessary Code
To enforce access key rotation for IAM users every 90 days, you can use an IAM policy with the following code snippet:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RotateAccessKeys",
"Effect": "Deny",
"Action": [
"iam:CreateAccessKey"
],
"Resource": [
"arn:aws:iam::123456789012:user/*"
],
"Condition": {
"NumericLessThanEquals": {
"aws:TimeSinceLastAccessKeyRotated": "7776000"
}
}
}
]
}
This IAM policy denies the creation of new access keys for IAM users whose existing access keys have not been rotated within the last 90 days (7776000 seconds).
Step-by-Step Guide for Remediation
Follow these steps to remediate the access key rotation violation:
- 1.Identify the IAM user(s) with access keys that have not been rotated within 90 days.
- 2.Notify the user(s) about the access key rotation requirement and provide them with a reminder to rotate their access keys promptly.
- 3.Once the user has acknowledged the notification, they should follow these steps to rotate their access keys:
- Open the AWS Management Console and navigate to the IAM service.
- Select the IAM user that requires access key rotation.
- Choose the "Security credentials" tab.
- In the "Access keys" section, click on "Create access key" to generate a new access key.
- The new access key will be displayed. It is essential for the user to securely save the access key ID and secret access key as they will be needed for programmatic access to AWS services.
- The old access key should then be deleted by selecting it and clicking on "Delete access key."
- 4.The user should update all necessary applications or scripts to use the newly generated access key before deleting the old one.
- 5.Monitor access key rotation compliance periodically to ensure future adherence to the 90-day rotation requirement.