This rule ensures access keys are rotated every 90 days or less to enhance security measures.
Rule | Ensure access keys are rotated every 90 days or less |
Framework | cis_v140 |
Severity | ✔ Low |
Ensure Access Keys Are Rotated Every 90 Days or Less for CIS_v1.4.0
Overview
The Center for Internet Security (CIS) Amazon Web Services (AWS) Foundations Benchmark v1.4.0 mandates that access keys be rotated every 90 days or less. This practice is a key security measure that helps to limit the window of opportunity for an access key that has been compromised without your knowledge to be exploited.
Why Rotate Access Keys
Rotating access keys minimizes the risk associated with key leaks or unauthorized use. If keys are not regularly rotated, they could be used by malicious actors to gain prolonged access to your AWS resources, potentially leading to data breaches, service disruptions, or financial loss.
Troubleshooting Steps
Checking Access Key Age
If the age of a key is 90 days or older, it should be considered for rotation immediately.
Rotating Access Keys
aws iam create-access-key --user-name <your-username>
aws iam update-access-key --access-key-id <old-access-key-id> --status Inactive --user-name <your-username>
Wait and monitor to ensure that rotating the key does not affect any services. If no issues arise:
aws iam delete-access-key --access-key-id <old-access-key-id> --user-name <your-username>
Remediation Steps
Via AWS Management Console
Via AWS CLI
aws iam list-access-keys --user-name <your-username>
Automation Using AWS CLI or SDKs
You can automate the monitoring and rotation process by scripting the necessary AWS CLI commands or using one of the AWS SDKs to develop a custom solution that alerts you when keys are due for rotation and potentially rotates the keys automatically.
Best Practices
Conclusion
Rotating AWS access keys regularly is an important security measure and a requirement of the CIS AWS Foundations Benchmark v1.4.0. Adherence to this rule helps ensure that the potential window for key exploitation is minimal, thus maintaining your AWS environment's security integrity. By integrating key rotation into your regular security audit procedures and possibly automating the rotation process, your organization can support a strong security posture within your cloud environment.