IAM Users' Access Keys Rotation Rule
This rule requires IAM users' access keys to be rotated every 90 days or less.
| Rule | IAM users' access keys should be rotated every 90 days or less |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Medium |
Rule Description:
IAM user access keys should be rotated every 90 days or less to adhere to AWS Foundational Security Best Practices. Regularly rotating access keys helps to mitigate the risk of unauthorized access and potential compromise of sensitive data.
Troubleshooting Steps:
Identify IAM users: First, identify all IAM users in your AWS account for which access keys are managed.
Determine access key age: Determine the age of the access keys associated with each IAM user.
Check rotation frequency: Verify if the access keys have been rotated within the last 90 days.
Review IAM user activity: Analyze recent IAM user activity logs to ensure that access keys are being regularly rotated.
Necessary Codes:
No specific code is needed for this rule. The rotation of IAM user access keys can be managed directly through the AWS Management Console or using AWS CLI commands.
Step-by-Step Guide for Remediation:
- 1.
Identify IAM users: Access your AWS Management Console and navigate to the IAM service.
- 2.
List IAM users: In the IAM dashboard, click on "Users" in the left-hand menu to view a list of all IAM users in your account.
- 3.
Select user: Identify the IAM user for whom you want to rotate the access keys and click on their username.
- 4.
Access Key Management: Under the Security credentials tab, locate the section called "Access keys."
- 5.
Rotate Access Key: To rotate the access key, click on the "Rotate access key" button next to the existing access key that needs to be rotated.
- 6.
Confirm rotation: A pop-up window will appear asking you to confirm the access key rotation. Click "Rotate access key" to proceed.
- 7.
Update application configurations: After rotating the access key, update any applications or services that use the older access key to use the newly generated access key. This ensures uninterrupted access to AWS resources.
- 8.
Repeat for other users: Repeat steps 3-7 for each IAM user in your AWS account. Regularly monitor access key rotation and perform it for all IAM users within the 90-day period.
Note: It is recommended to have at least two active access keys at any given time to avoid any disruption due to rotation. This allows you to switch to the new access key while ensuring uninterrupted access to AWS resources during the rotation process.
By following these steps, you will ensure that IAM user access keys are rotated every 90 days or less, adhering to AWS Foundational Security Best Practices and reducing the risk of unauthorized access to your AWS resources.