Ensure One Active Access Key per IAM User Rule
This rule ensures there is only one active access key available for any single IAM user.
| Rule | Ensure there is only one active access key available for any single IAM user |
| Framework | cis_v130 |
| Severity | ✔ High |
Ensure there is only one active access key available for any single IAM user (CIS Benchmark 1.3.0)
Overview
The Center for Internet Security (CIS) AWS Foundations Benchmark recommendation 1.3.0 suggests that there should be only one active Access Key available for any single Identity and Access Management (IAM) user. This guideline enhances security by minimizing the risk of unauthorized AWS console access should any one of the keys become compromised.
Rationale
Having multiple active keys for a single user increases the risk of keys being lost, stolen, or mishandled. Furthermore, it makes auditing more difficult, as each key that a user has needs to be tracked and monitored. Limiting IAM users to one active access key helps to control access and simplifies the process of tracking and managing keys.
Troubleshooting
If a user has more than one active access key, you need to identify the unused or less frequently used key and deactivate or delete it following the principle of least privilege and good key hygiene.
Prerequisites
- AWS CLI installed and configured
- Necessary IAM permissions to list and manage access keys
Steps for Remediation
- 1.
List Access Keys for a User
Use the following AWS CLI command to list all access keys for a user:
aws iam list-access-keys --user-name <username>Replace
with the name of the IAM user in question.<username> - 2.
Identify Unused/Less Frequently Used Keys
Examine the
for each access key or use access key last used details to determine which key is least recently used:CreateDateaws iam get-access-key-last-used --access-key-id <accessKeyId>Replace
with the Access Key ID you wish to check.<accessKeyId> - 3.
Deactivate or Delete the Extra Key
If you find an access key that is not needed or is less frequently used:
Deactivate the access key:
aws iam update-access-key --access-key-id <accessKeyId> --user-name <username> --status InactiveDelete the access key:
aws iam delete-access-key --access-key-id <accessKeyId> --user-name <username>
Always confirm with the user and ensure that deactivating or deleting the key won’t disrupt any critical services.
- 4.
Audit Regularly
Regularly audit access keys using AWS IAM user credential reports or setting up AWS Config rules to ensure compliance with the one access key per user policy.
Conclusion
Following the CIS Benchmark 1.3.0 recommendations helps ensure that your AWS environment is secure and aligns with best practices for managing access keys. By having a single active access key per IAM user, you limit potential attack vectors and simplify the process of audit and key management.
Remember that all the changes made to IAM users and their access keys should be carefully evaluated and monitored to prevent any inadvertent loss of access to AWS services that are critical for your organization’s operations.