IAM User Access Keys Rotation Rule
This rule mandates rotating IAM user access keys every 90 days to enhance security measures.
| Rule | IAM user access keys should be rotated at least every 90 days |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ Low |
IAM User Access Key Rotation Policy for GxP 21 CFR Part 11 Compliance
Rule Description
In order to comply with the GxP (Good Practices) regulations of 21 CFR Part 11, it is essential to regularly rotate the access keys of IAM (Identity and Access Management) users. This policy ensures that access keys are regularly updated, reducing the risk of unauthorized access to sensitive data and systems.
Troubleshooting Steps
In case of any issues or errors encountered during IAM user access key rotation, follow these troubleshooting steps:
- 1.Check the IAM user configuration and permissions.
- 2.Verify the IAM user's current access key status.
- 3.Ensure the correct AWS CLI (Command Line Interface) version is installed.
- 4.Verify the AWS CLI access and permissions of the user performing the access key rotation.
- 5.Review the IAM user access key rotation policy to ensure it complies with the GxP 21 CFR Part 11 requirements.
- 6.If the issue persists, consult the AWS documentation or contact AWS support for assistance.
Code Examples (if applicable)
There are multiple methods to rotate IAM user access keys using the AWS CLI or AWS Management Console. Here are a few examples:
CLI Command for Manual Access Key Rotation
To manually rotate an IAM user's access key using the AWS CLI, follow these steps:
- 1.Open the AWS CLI or a command line interface.
- 2.Run the following command to list all IAM users:
aws iam list-users - 3.Identify the target IAM user for access key rotation.
- 4.Run the following command to create a new access key for the specified IAM user:
aws iam create-access-key --user-name <IAM_USERNAME> - 5.Note down the newly generated access key ID and secret access key.
- 6.Run the following command to delete the previous access key for the specified IAM user using the access key ID obtained in step 5:
aws iam delete-access-key --access-key-id <ACCESS_KEY_ID> --user-name <IAM_USERNAME>
Automated Access Key Rotation using AWS Lambda
This example demonstrates using the AWS Lambda service to automatically rotate IAM user access keys.
- 1.Create an IAM role with appropriate permissions, allowing Lambda functions to manage IAM access keys.
- 2.Create a Lambda function using the AWS Management Console or the AWS CLI, specifying the IAM role created in step 1.
- 3.Configure the Lambda function to execute on a scheduled basis (e.g., once every 90 days) using scheduled events.
- 4.Implement the access key rotation logic using AWS SDKs or programming languages supported by Lambda functions.
- 5.Test the Lambda function's access key rotation functionality to ensure it's working as expected.
- 6.Monitor the Lambda execution logs and relevant metrics to track access key rotation activity.
Remediation Steps
To ensure compliance with the IAM user access key rotation policy for GxP 21 CFR Part 11, follow these step-by-step remediation instructions:
- 1.Identify the IAM users that require access key rotation based on the policy's timeframe (e.g., 90 days).
- 2.Decide whether to perform the access key rotation manually or automate it using AWS Lambda.
- 3.If manually rotating access keys, follow the provided CLI command example for access key rotation.
- 4.If opting for automated access key rotation, follow the provided AWS Lambda example and configure the Lambda function accordingly.
- 5.Regularly monitor the access key rotation process and verify that IAM users' access keys are being rotated within the specified timeframe.
- 6.Retain documentation and records of access key rotation activity for compliance audits.
By adhering to this policy, you can ensure proper access key management for IAM users in accordance with GxP 21 CFR Part 11 regulations.