iCompaas Support

Profile Applicability: Level 1

Description:

Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. 

Rationale:

Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.

Impact:

By rotating access keys every 90 days, you can make your AWS account more secure and reliable.

Default Value:

By default AWS will not rotate keys at any time, we need to do it periodically.

Pre-requisites:

• Log in as an Administrator to perform the below steps

• Approval Required from the client for remediation of the task

• After auditing, if you found any access keys age is 90 days or more then only perform the below steps.

Remediation:

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
2. Navigate to IAM service at https://console.aws.amazon.com/iam/.
3. Click on the Users in the left navigation pane
4. Click on the username that you want to check
5. Select the Security Credentials tab and go to the Access keys section
    
6. Under the Access Keys section check the created column to know when the key was created
7. If you notice that the key was created before 90 days follow the implementation steps to rotate the keys

Using AWS CLI:

This command gives the list of access keys 

aws iam list-access-keys --user-name ABC

Or you can also use a credential report  

1. Sign in to the AWS Management Console.

2. Navigate to IAM service https://console.aws.amazon.com/iam/.

3. Click on the Credential report in the left navigation pane
   

4. Click on the download report option given, which lists all your account's users and the status of their various credentials.

5. This will download a .xls file that contains Access Key usage for all IAM users within an AWS Account - open this file. Focus on the following columns (where x = 1 or 2)
   

   access_key_X_active 

   access_key_X_last_rotated 

6. From there you can check the age of the key. If you notice the key age is more than 90 days follow the Implementation steps to rotate.
   
   

Implementation Steps: 

1. Sign in to the AWS Management Console.

2. Navigate to IAM service at https://console.aws.amazon.com/iam/.

3. Click on the Users in the left navigation pane

4. Click on the username that you want to rotate keys

5. Select the Security Credentials tab and go to the Access keys section
   

6. Make existing access key inactive by clicking on Deactivate or Delete by clicking on delete
   

7. After that click on create access key to create new keys
   

Using AWS CLI:

aws iam update-access-key --access-key-id <ABCDE> --status Inactive --user-name <ABC>

Backout Plan:

If you lose or forget your secret key, you cannot retrieve it. Instead, create a new access key and make the old key inactive. 

References:

• Managing access keys for IAM users - AWS Identity and Access Management 

CIS Controls:

16.9 Disable Dormant Accounts 

• Automatically disable dormant accounts after a set period of inactivity.