Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Do Not Setup Access Keys During Initial User Setup

This rule prohibits setting up access keys during initial user setup to enhance security measures.

RuleDo not setup access keys during initial user setup for all IAM users that have a console password
Frameworkcis_v150
Severity
Medium

Rule: Do Not Set Up Access Keys During Initial User Setup for IAM Users with Console Password (CIS_v1.5.0)

Description

This rule pertains to best practices in Identity and Access Management (IAM) within AWS as specified by the Center for Internet Security (CIS) benchmarks version 1.5.0. It is recommended that IAM users that are intended to primarily use the AWS Management Console should not have AWS access keys created during their initial setup. Access keys offer programmatic access via AWS CLI, SDKs, and API calls, which adds an unnecessary security risk if the user only needs to operate within the AWS console.

Creating access keys for users who do not need them increases the risk of compromise as these keys can be used outside the console. If keys are compromised, unauthorized users could potentially access AWS services and resources programmatically. Instead, access keys should only be provided to users when absolutely necessary and controlled under stringent policies and practices.

Troubleshooting Steps

If it has been detected that IAM users have access keys but also use the console with a password, follow these steps for remediation:

  1. 1.

    Review IAM Users:

    • Use the IAM console or CLI to list all IAM users to identify those that have both console access and access keys.
  2. 2.

    Check for Unused Access Keys:

    • Determine if the access keys are actually in use by checking the last used information with AWS IAM.
  3. 3.

    Communicate with IAM Users:

    • Before making any changes, ensure that you communicate with the affected users to understand their requirements for access keys.

Remediation Steps

If IAM users with console passwords do not require programmatic access, follow these steps to remove their access keys:

Using AWS Management Console

  1. 1.
    Sign in to the AWS Management Console.
  2. 2.
    Navigate to the IAM console.
  3. 3.
    In the navigation pane, choose "Users."
  4. 4.
    Choose the user from whom you want to remove the access keys.
  5. 5.
    In the user details pane, choose the "Security credentials" tab.
  6. 6.
    Under the "Access keys" section, locate the access keys.
  7. 7.
    Click "Delete" next to the access key you want to remove.
  8. 8.
    Confirm the deletion by clicking "Yes, delete."

Using AWS CLI

  1. 1.

    Open your terminal or command prompt.

  2. 2.

    List access keys for a user with the following command:

    aws iam list-access-keys --user-name [username]
    
  3. 3.

    Delete the access key using:

    aws iam delete-access-key --access-key-id [access_key_id] --user-name [username]
    

Replace

[username]
with the IAM user's name and
[access_key_id]
with the ID of the access key you want to delete.

To ensure best practices are followed for all users moving forward, consider implementing a policy or automated script that checks for compliance with this rule.

Additional Notes

To enforce this security best practice within an organization, periodic audits and automated monitoring should be implemented, utilizing AWS services such as AWS Config rules or custom AWS Lambda functions triggered by CloudWatch Events.

Please note that while I strive to provide valuable content, I'm unable to guarantee any increase in SEO or accelerated SEO results. Effective and sustainable SEO involves long-term strategies and compliance with search engine guidelines, which may not be guaranteed by any single set of content or practices.

Is your System Free of Underlying Vulnerabilities?
Find Out Now