IAM User Access Key Rotation Rule
Ensure IAM user access keys are rotated every 90 days to enhance security measures.
| Rule | IAM user access keys should be rotated at least every 90 days |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ Low |
IAM User Access Key Rotation for GxP 21 CFR Part 11
Description:
According to GxP 21 CFR Part 11 compliance requirements, IAM (Identity and Access Management) user access keys should be rotated at least every 90 days. This rule is implemented to enhance security and reduce the risk of unauthorized access to sensitive data and systems in compliance with regulatory standards.
Troubleshooting Steps:
If you encounter any issues while rotating IAM user access keys, follow these troubleshooting steps:
- 1.Check IAM User Permissions: Ensure that the IAM user performing the access key rotation has the necessary permissions (e.g.,
) to modify access keys.iam:UpdateAccessKey - 2.Verify IAM User Access Key: Confirm that the access key you are trying to rotate is valid and active. Use the AWS Management Console or AWS CLI to validate the key details.
- 3.Check IAM User Policy: Review the IAM user's attached policy to ensure there are no restrictions or conflicts that might prevent access key rotation.
- 4.Test Connectivity: Ensure that you have a stable internet connection to communicate with the AWS services during the rotation process.
- 5.Review AWS Service Status: Check the AWS Service Health Dashboard to verify if there are any known service disruptions that might impact access key rotation.
Necessary Codes:
No specific codes are required for this rule. However, the following CLI commands will be useful during the access key rotation process:
- 1.List IAM Users
aws iam list-users
This command lists all the IAM users in your AWS account.
- 1.Disable an IAM User's Access Key
aws iam update-access-key --user-name <IAM_USER_NAME> --access-key-id <ACCESS_KEY_ID> --status Inactive
This command disables an active access key for a specific IAM user.
- 1.Create a New IAM User Access Key
aws iam create-access-key --user-name <IAM_USER_NAME>
This command creates a new access key for a particular IAM user.
Step-by-Step Guide for Remediation:
Follow these steps to ensure compliance by rotating IAM user access keys at least every 90 days:
- 1.
Identify IAM Users: Determine the IAM users in your AWS account who are subject to the GxP 21 CFR Part 11 compliance requirement for access key rotation.
- 2.
Disable Active Access Key: Disable the existing active access key for each identified IAM user using the following command:
aws iam update-access-key --user-name <IAM_USER_NAME> --access-key-id <ACCESS_KEY_ID> --status Inactive
- 1.Create New Access Key: Generate a new access key for each IAM user using the following command:
aws iam create-access-key --user-name <IAM_USER_NAME>
- 1.
Communicate New Access Key: Inform the respective IAM user(s) about their new access key details and request them to update any scripts, applications, or integrations that use these keys.
- 2.
Rotate Access Keys Periodically: Set up a process or reminder to repeat this access key rotation procedure every 90 days to ensure ongoing compliance.
Remember, regular access key rotation is crucial for maintaining the security and compliance of your AWS environment, especially for GxP 21 CFR Part 11 regulated systems.