Cloud Defense Logo

Products

Solutions

Company

IAM User Access Key Rotation Rule

This rule specifies that IAM user access keys must be rotated every 90 days to enhance security.

RuleIAM user access keys should be rotated at least every 90 days
FrameworkNIST 800-53 Revision 5
Severity
Low

Rule: IAM user access keys should be rotated at least every 90 days

This rule is based on the NIST 800-53 Revision 5 security guideline, which recommends rotating IAM user access keys to enhance security and mitigate the risk of unauthorized access to AWS resources.

Description:

IAM user access keys provide programmatic access to AWS services and resources. By regularly rotating these access keys, the risk of unauthorized access is reduced as any compromised or leaked access keys become obsolete after the rotation.

Troubleshooting Steps:

There are no specific troubleshooting steps for this rule, as it primarily focuses on policy enforcement rather than resolving technical issues. However, if an IAM user's access key needs to be rotated manually, the following remediation guide can be followed.

Remediation Guide:

To comply with the NIST 800-53 Revision 5 guideline of rotating IAM user access keys every 90 days, the following steps can be taken:

  1. 1.

    Identify IAM users whose access keys need to be rotated.

    • Review IAM users and their associated access keys using the AWS Management Console, AWS CLI, or AWS SDKs.

    CLI Command:

    aws iam list-users
    
  2. 2.

    Generate new access keys for the identified IAM users.

    • New access keys are required to replace the existing ones. Generating new access keys will invalidate the old keys, thereby ensuring only the updated ones grant access.

    CLI Command:

    aws iam create-access-key --user-name <user-name>
    
  3. 3.

    Store the new access keys securely.

    • Ensure that the new access keys are stored securely, following best practices such as using password managers or secure key management systems.
  4. 4.

    Update the access keys for the IAM users.

    • Once the new access keys have been generated, update the IAM user's access key configuration by replacing the old access keys with the new ones.

    CLI Command:

    aws iam update-access-key --access-key-id <old-access-key-id> --status Inactive
    

    CLI Command:

    aws iam update-access-key --access-key-id <new-access-key-id> --status Active
    
  5. 5.

    Communicate the updated access keys to the respective IAM users.

    • Provide the IAM users with their new access keys and instruct them to update any applications, scripts, or services utilizing the AWS resources to use the new access keys.
  6. 6.

    Verify the access key rotation.

    • Ensure that the old access keys are no longer in use and the new access keys are functioning correctly. Validate that the IAM users can access the required AWS resources without any issues.

By following these steps, IAM user access keys will be rotated at least every 90 days, as recommended by the NIST 800-53 Revision 5 security guideline. This enhances the security of AWS resources and minimizes the risk of unauthorized access.

Is your System Free of Underlying Vulnerabilities?
Find Out Now