Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

IAM User Access Keys Rotation Rule

This rule states that IAM user access keys must be rotated every 90 days to ensure security.

RuleIAM user access keys should be rotated at least every 90 days
FrameworkGxP 21 CFR Part 11
Severity
Low

Rule Description

IAM user access keys should be rotated at least every 90 days for GxP 21 CFR Part 11 compliance. This rule ensures that access keys, which are used to authenticate and authorize IAM users in the AWS environment, are regularly updated to enhance security and protect sensitive data within the scope of GxP regulations.

Troubleshooting Steps

  2. 1.
    Confirm the IAM user's group or individual policy settings to ensure the access key rotation requirement is enforced.
  4. 2.
    Verify if the IAM user has external dependencies or services that rely on the access key. If so, proper planning and coordination will be required to avoid service disruptions during the rotation process.
  6. 3.
    In case of any issues or errors during the key rotation process, consult the AWS IAM documentation or contact AWS support for further assistance.

Necessary Codes or Configuration

No specific codes or configurations are required for this rule. However, you may need to utilize AWS CLI commands to manage and rotate IAM user access keys.

Remediation Steps

Follow these step-by-step instructions to remediate the issue and rotate IAM user access keys:

  2. 1.
    Identify IAM users with access keys that have not been rotated within the last 90 days.
  4. 2.
    Determine the impact of key rotation on any dependent services or applications associated with the IAM user.
  6. 3.
    Optionally, notify affected IAM users about the upcoming key rotation to minimize any potential service disruptions.
  8. 4.
    Generate a new access key for the IAM user using the AWS Management Console or AWS CLI with the following command:
aws iam create-access-key --user-name <IAM-USERNAME>

Note: Replace 

<IAM-USERNAME>
with the IAM username that requires key rotation.

  2. 1.
    Save or securely distribute the new access key credentials to the respective IAM user, ensuring they are aware of any necessary updates to their applications or scripts.
  4. 2.
    Test the new access key by attempting to access various AWS resources associated with the IAM user.
  6. 3.
    Once the new access key is confirmed to be functioning correctly, delete the old access key using the following AWS CLI command:
aws iam delete-access-key --user-name <IAM-USERNAME> --access-key-id <OLD-ACCESS-KEY-ID>

Note: Replace 

<IAM-USERNAME>
with the IAM username and 
<OLD-ACCESS-KEY-ID>
with the ID of the old access key that needs to be removed.

  2. 1.
    Monitor and validate that the IAM user can successfully perform required actions with the new access key.
  4. 2.
    If any issues arise during the key rotation process, refer to the AWS IAM documentation or contact AWS support for guidance.

Is your System Free of Underlying Vulnerabilities?
Find Out Now