Rule: Ensure Access Keys Rotation Every 90 Days
This rule mandates access keys to be rotated every 90 days or less.
| Rule | Ensure access keys are rotated every 90 days or less |
| Framework | cis_v130 |
| Severity | ✔ Medium |
Ensure Access Keys Are Rotated Every 90 Days or Less for CIS v1.3.0
The Center for Internet Security (CIS) version 1.3.0 Benchmark for AWS recommends that all access keys should be rotated every 90 days or less. This policy enhances security by reducing the risk of old keys being exploited by unauthorized parties.
Description of the Rule
Objective
To minimize the possibility of unauthorized use of stale access keys, which can lead to security breaches.
Scope
The rule applies to access keys associated with all IAM (Identity and Access Management) users within an AWS account.
Rationale
Access keys that are not rotated regularly can become a security vulnerability if they are compromised without your knowledge. Regular rotation limits the window of opportunity for an access key to be used maliciously if it falls into the wrong hands.
Troubleshooting Steps
If the rule is not being followed:
- 1.
Identify Non-compliant Keys: Use the AWS Management Console or an automated process to identify access keys that haven't been rotated within the last 90 days.
- 2.
Review Key Usage: Before rotating a key, review its usage to ensure that rotating it won't disrupt any applications or automated processes.
- 3.
Rotate Keys: Follow the steps in the remediation section to rotate the non-compliant keys.
- 4.
Notify Users: Inform the IAM user associated with the non-compliant key about the rotation policy and the need to update their applications or processes with the new access key.
Necessary CLI Commands
For AWS CLI, you can use these key commands:
To list access keys for a user:
aws iam list-access-keys --user-name <user_name>To get the last used date of access keys:
aws iam get-access-key-last-used --access-key-id <access_key_id>To create a new access key:
aws iam create-access-key --user-name <user_name>To deactivate an old access key:
aws iam update-access-key --access-key-id <access_key_id> --status Inactive --user-name <user_name>To delete an old access key:
aws iam delete-access-key --access-key-id <access_key_id> --user-name <user_name>
Step by Step Guide for Remediation
- 1.
Identify Users with Old Access Keys: Use the
command to list all IAM users and their respective access keys, then filter out keys older than 90 days.list-access-keys - 2.
Review Usage: Before rotating the keys, check when the key was last used with the
command.get-access-key-last-used - 3.
Rotate the Keys:
- Deactivate the old key (without removing it) to ensure that it does not break any existing processes using the
command.update-access-key - Create a new access key with the
command and distribute it to the user.create-access-key - Update all applications and scripts with the new access key information.
- 4.
Delete the Old Key: Once the new key is confirmed to be functioning, use the
command to remove the old key permanently.delete-access-key - 5.
Document: Record all changes and communications for audit purposes.
- 6.
Enforce Policy: Consider implementing AWS Config rules or AWS Lambda functions that check and enforce the rotation of access keys automatically.
- 7.
Automate: Automation is key to maintaining compliance without manual effort. Consider using AWS services or third-party solutions to automate the rotation process.
Implementing this policy and ensuring compliance with the CIS AWS Foundations Benchmark v1.3.0 will help safeguard your AWS environment against potential security threats related to compromised access keys. Regular rotation of keys is essential for maintaining a secure AWS environment.