Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

IAM User Access Key Rotation Rule

This rule enforces rotating IAM user access keys every 90 days to enhance security.

RuleIAM user access keys should be rotated at least every 90 days
FrameworkCISA-cyber-essentials
Severity
Low

IAM User Access Key Rotation for CISA Cyber Essentials

Description:

In order to enhance security and protect against unauthorized access to AWS resources, it is recommended to regularly rotate IAM user access keys. This rule specifically refers to the rotation of access keys for users who are governed by the CISA Cyber Essentials framework.

Access keys allow users or applications to programmatically interact with AWS services. Regularly rotating these keys reduces the risk of compromise due to potential leaks or unauthorized access.

Troubleshooting Steps:

1. Identify Users with Old Access Keys:

To identify IAM users who have not rotated their access keys within the recommended timeframe, follow these steps:

  1. 1.
    Log in to the AWS Management Console.
  2. 2.
    Open the IAM service.
  3. 3.
    Select "Users" from the left menu.
  4. 4.
    Sort the users based on the "Access Key Age" column.
  5. 5.
    Identify users whose access keys are older than 90 days.

2. Verify Key Rotation Recommendations:

Once you have identified users who have not rotated their access keys, it is recommended to send them reminders to rotate their keys. Provide them with the necessary instructions and direct them to this documentation for guidance.

Rotating IAM User Access Keys:

1. Generate New Access Key:

To generate a new access key for an IAM user, follow these steps:

  1. 1.
    Log in to the AWS Management Console.
  2. 2.
    Open the IAM service.
  3. 3.
    Select "Users" from the left menu.
  4. 4.
    Search for and select the user for whom you want to generate a new access key.
  5. 5.
    In the "Security credentials" tab, scroll down to the "Access keys" section and click on "Create access key".
  6. 6.
    Save the newly generated access key and secret key.

2. Update Access Key in Application or CLI Configurations:

After generating a new access key, the old access key needs to be replaced in any application or CLI configurations that use the old key for authentication.

Update the access key in the following locations:

Applications:

  1. 1.
    Identify the application(s) that use the old access key for AWS API interactions.
  2. 2.
    Locate the configuration file or settings where the access key is specified.
  3. 3.
    Replace the old access key with the newly generated access key.

Command Line Interface (CLI):

If the user accesses AWS services via CLI, update the access key as follows:

  1. 1.
    Open the terminal or command prompt.
  2. 2.
    Run the following command to configure the AWS CLI with the new access key:
    aws configure
    
  3. 3.
    Provide the new access key, secret key, AWS region, and output format when prompted.

3. Test Access Key and Ensure Functionality:

After updating the access key in applications or CLI configurations, it is essential to test if the new access key works and maintains the expected functionality. Execute the following steps:

  1. 1.
    Verify that the new access key allows the relevant user to interact with the necessary AWS services.
  2. 2.
    Perform any required actions to ensure the AWS resources, including permissions and policies, are functioning as expected with the new access key.

Conclusion:

Rotating IAM user access keys at least every 90 days enhances security and aligns with the CISA Cyber Essentials framework. By following the troubleshooting steps and instructions provided, you can ensure proper key rotation and minimize the risk of unauthorized access to AWS resources.

Is your System Free of Underlying Vulnerabilities?
Find Out Now