Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: IAM User Access Keys Rotation Every 90 Days

This rule mandates rotating IAM user access keys every 90 days to enhance security measures.

RuleIAM user access keys should be rotated at least every 90 days
FrameworkFederal Financial Institutions Examination Council (FFIEC)
Severity
Low

Rule Description:

IAM user access keys should be rotated at least every 90 days for compliance with the Federal Financial Institutions Examination Council (FFIEC) guidelines. This rule ensures that access keys used by IAM users to authenticate themselves and access resources within the organization's AWS account are regularly changed. Rotating access keys reduces the risk of unauthorized access and helps maintain the security and integrity of sensitive data.

Troubleshooting Steps:

If there are issues or concerns related to access key rotation, here are some troubleshooting steps to consider:

  1. 1.

    Verify Compliance Requirements: Ensure that rotating IAM user access keys every 90 days aligns with the specific compliance requirements set by FFIEC. Review the organization's security policies and guidelines to confirm the desired access key rotation frequency.

  2. 2.

    Check IAM User Policies: Validate that the IAM user policies in place allow access key rotation. Look for any explicit denials or restrictions on key rotation. Adjust policies as needed to enable access key rotation.

  3. 3.

    Review Access Key Creation Date: Identify IAM users whose access keys have been active for more than 90 days. Verify the creation date of each access key to determine whether it needs to be rotated.

  4. 4.

    Generate New Access Keys: For IAM users with access keys older than 90 days, generate new access keys using the AWS Management Console, AWS CLI, or AWS SDKs. Generate a new access key pair for each user, as a best practice.

  5. 5.

    Update Applications and Scripts: Update any applications or scripts that use the old access keys for authentication. Replace the old access keys with the newly generated ones to avoid any service disruptions.

Necessary Codes:

No specific codes are required for this rule. The necessary steps can be performed using AWS Management Console, AWS CLI, or AWS SDKs.

Step-by-Step Guide for Remediation:

Follow these steps to rotate IAM user access keys every 90 days:

  1. 1.
    Log in to the AWS Management Console using administrative credentials.
  2. 2.
    Open the IAM service from the AWS Management Console.
  3. 3.
    Select "Users" from the left-hand menu.
  4. 4.
    Locate the IAM user for which access key rotation is required and select their username.
  5. 5.
    Within the "Security credentials" tab, locate the access keys section.
  6. 6.
    Identify any access keys that have been active for more than 90 days and need to be rotated.
  7. 7.
    Click on the "Create access key" button to generate a new access key pair for the user.
  8. 8.
    Make a note of the new access key ID and secret access key.
  9. 9.
    Update any applications, services, or scripts that use the old access keys with the newly generated access keys. Ensure seamless authentication and avoid any service disruptions.
  10. 10.
    Once the access key update is complete, select the old access key within IAM and click on "Make inactive" to disable it.
  11. 11.
    Regularly monitor access keys and their rotation timelines to ensure continued compliance with the FFIEC guidelines and best security practices.

It is important to establish a regular schedule to review and rotate all IAM user access keys to maintain a high level of security within the AWS environment.

Is your System Free of Underlying Vulnerabilities?
Find Out Now