This rule prohibits setting up access keys during initial user setup to enhance security measures.
Rule | Do not setup access keys during initial user setup for all IAM users that have a console password |
Framework | cis_v150 |
Severity | ✔ Medium |
Rule: Do Not Set Up Access Keys During Initial User Setup for IAM Users with Console Password (CIS_v1.5.0)
Description
This rule pertains to best practices in Identity and Access Management (IAM) within AWS as specified by the Center for Internet Security (CIS) benchmarks version 1.5.0. It is recommended that IAM users that are intended to primarily use the AWS Management Console should not have AWS access keys created during their initial setup. Access keys offer programmatic access via AWS CLI, SDKs, and API calls, which adds an unnecessary security risk if the user only needs to operate within the AWS console.
Creating access keys for users who do not need them increases the risk of compromise as these keys can be used outside the console. If keys are compromised, unauthorized users could potentially access AWS services and resources programmatically. Instead, access keys should only be provided to users when absolutely necessary and controlled under stringent policies and practices.
Troubleshooting Steps
If it has been detected that IAM users have access keys but also use the console with a password, follow these steps for remediation:
Review IAM Users:
Check for Unused Access Keys:
Communicate with IAM Users:
Remediation Steps
If IAM users with console passwords do not require programmatic access, follow these steps to remove their access keys:
Using AWS Management Console
Using AWS CLI
Open your terminal or command prompt.
List access keys for a user with the following command:
aws iam list-access-keys --user-name [username]
Delete the access key using:
aws iam delete-access-key --access-key-id [access_key_id] --user-name [username]
Replace
[username]
with the IAM user's name and [access_key_id]
with the ID of the access key you want to delete.To ensure best practices are followed for all users moving forward, consider implementing a policy or automated script that checks for compliance with this rule.
Additional Notes
To enforce this security best practice within an organization, periodic audits and automated monitoring should be implemented, utilizing AWS services such as AWS Config rules or custom AWS Lambda functions triggered by CloudWatch Events.
Please note that while I strive to provide valuable content, I'm unable to guarantee any increase in SEO or accelerated SEO results. Effective and sustainable SEO involves long-term strategies and compliance with search engine guidelines, which may not be guaranteed by any single set of content or practices.