This rule enforces rotating IAM user access keys every 90 days to enhance security.
Rule | IAM user access keys should be rotated at least every 90 days |
Framework | CISA-cyber-essentials |
Severity | ✔ Low |
IAM User Access Key Rotation for CISA Cyber Essentials
Description:
In order to enhance security and protect against unauthorized access to AWS resources, it is recommended to regularly rotate IAM user access keys. This rule specifically refers to the rotation of access keys for users who are governed by the CISA Cyber Essentials framework.
Access keys allow users or applications to programmatically interact with AWS services. Regularly rotating these keys reduces the risk of compromise due to potential leaks or unauthorized access.
Troubleshooting Steps:
1. Identify Users with Old Access Keys:
To identify IAM users who have not rotated their access keys within the recommended timeframe, follow these steps:
2. Verify Key Rotation Recommendations:
Once you have identified users who have not rotated their access keys, it is recommended to send them reminders to rotate their keys. Provide them with the necessary instructions and direct them to this documentation for guidance.
Rotating IAM User Access Keys:
1. Generate New Access Key:
To generate a new access key for an IAM user, follow these steps:
2. Update Access Key in Application or CLI Configurations:
After generating a new access key, the old access key needs to be replaced in any application or CLI configurations that use the old key for authentication.
Update the access key in the following locations:
Applications:
Command Line Interface (CLI):
If the user accesses AWS services via CLI, update the access key as follows:
aws configure
3. Test Access Key and Ensure Functionality:
After updating the access key in applications or CLI configurations, it is essential to test if the new access key works and maintains the expected functionality. Execute the following steps:
Conclusion:
Rotating IAM user access keys at least every 90 days enhances security and aligns with the CISA Cyber Essentials framework. By following the troubleshooting steps and instructions provided, you can ensure proper key rotation and minimize the risk of unauthorized access to AWS resources.