Rule: IAM User Access Keys Rotation Every 90 Days

Rule Description:

Troubleshooting Steps:

2. 1.
   Identify IAM users who have active access keys.
4. 2.
   Check the creation date of each access key.
6. 3.
   Determine if any access keys have not been rotated within the last 90 days.
8. 4.
   Notify users whose access keys are due for rotation.

Necessary Codes:

Remediation Steps:

2. 1.

   Identify IAM users with access keys older than 90 days.

   • Run the following AWS CLI command to list IAM users with their access key ages:

     aws iam list-users --query 'Users[].{UserName:UserName}' --output table
     
4. 2.

   Notify users whose access keys need rotation.

   • Send an email or notification to affected users with instructions to rotate their access keys.
6. 3.

   Rotate access keys for each user.

   • Each user must perform the following steps to rotate their access keys:

     • Sign in to the AWS Management Console with their IAM user credentials.
     • Open the IAM console.
     • Click on "Users" in the left navigation pane.
     • Select the user whose access key needs rotation.
     • Go to the "Security credentials" tab.
     • Expand the "Access Keys" section.
     • Click on "Create access key" if the user has no existing access keys.
     • If the user has existing access keys, click on the "Make inactive" button next to the old access key.
     • Click on "Create access key" to generate a new access key.
     • Finally, the user should update their applications or services to use the new access key.
8. 4.

   Periodically monitor access key age and rotation compliance.

   • Regularly review access key ages to ensure compliance with the 90-day rotation policy.
   • Rerun the AWS CLI command in step 1 to check for any non-compliant access keys.

Additional Notes: