IAM User Access Key Rotation Rule
Learn about the importance of rotating IAM user access keys every 90 days.
| Rule | IAM user access keys should be rotated at least every 90 days |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Low |
IAM User Access Key Rotation Policy
Description
In accordance with the NIST Cybersecurity Framework (CSF) v1, it is essential to rotate IAM user access keys at least every 90 days. Access keys are used to authenticate and authorize requests made to Amazon Web Services (AWS) APIs. Regular rotation of these keys helps mitigate the risk of unauthorized access and potential security breaches.
Troubleshooting Steps
If you encounter issues during IAM user access key rotation, follow these troubleshooting steps:
- 1.
Verify IAM User Credentials: Ensure that you have the necessary permissions and credentials to perform access key rotation. Check if you are part of a group with
andIAMUserChangePassword
permissions.IAMUserAccessKeyRotate - 2.
Check Access Key Status: Validate the status of the access key you are attempting to rotate. Navigate to the AWS Management Console, access the IAM service, and go to the "Users" section. Select the relevant IAM user and check if the access key is active or inactive.
- 3.
Validate IAM User Policy: Confirm that the IAM user's policies do not explicitly disable key rotation. Review the attached IAM policy document to verify that it does not contain
or other relevant statements that may prevent key rotation.iam:UpdateAccessKey - 4.
Rotate Access Key Using AWS CLI: If the access key is active and there are no policy restrictions, rotate the key using AWS Command Line Interface (CLI) commands. Proceed to the remediation steps below for a step-by-step guide on key rotation using CLI.
Necessary Codes
There are no specific codes required for this rule. However, you may need to utilize AWS CLI commands for access key rotation, as mentioned in the remediation steps below.
Remediation Steps
Using AWS Management Console
- 1.
Sign in to the AWS Management Console using appropriate IAM user credentials.
- 2.
Open the IAM service dashboard.
- 3.
Navigate to the "Users" section.
- 4.
Select the IAM user for which access key rotation is required.
- 5.
In the "Security credentials" tab, locate the access key to be rotated.
- 6.
Click on the "Rotate now" button next to the access key.
- 7.
Take note of the new access key and secret access key generated.
- 8.
Update any applications or environments that use the old access key with the newly generated one.
Using AWS CLI
- 1.
Install and configure AWS CLI on your local machine if not already done.
- 2.
Open a terminal or command prompt.
- 3.
Run the following AWS CLI command to rotate the access key:
aws iam update-access-key --access-key-id <EXISTING_ACCESS_KEY_ID> --status Inactive --user-name <YOUR_USERNAME>Replace
with the access key ID you want to rotate, and<EXISTING_ACCESS_KEY_ID>
with your IAM username.<YOUR_USERNAME> - 4.
The command will set the existing access key status to inactive.
- 5.
Run the following command to create a new access key:
aws iam create-access-key --user-name <YOUR_USERNAME>Replace
with your IAM username.<YOUR_USERNAME> - 6.
Note down the new access key ID and secret access key generated by the command.
- 7.
Update any applications or environments that use the old access key with the newly generated one.
- 8.
Disable or remove the old access key if no longer needed:
aws iam delete-access-key --access-key-id <EXISTING_ACCESS_KEY_ID> --user-name <YOUR_USERNAME>Replace
with the access key ID you want to disable or remove, and<EXISTING_ACCESS_KEY_ID>
with your IAM username.<YOUR_USERNAME>
Conclusion
Rotating IAM user access keys every 90 days is crucial for maintaining the security of your AWS resources. By following the provided troubleshooting steps and remediation guidelines, you can ensure compliance with the NIST Cybersecurity Framework and mitigate potential security risks.