Profile Applicability: Level 1


Description:

Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services.


Rationale:

Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.


Impact:

By rotating access keys every 90 days, you can make your AWS account more secure and reliable.


Default Value:

By default AWS will not rotate keys at any time, we need to do it periodically.


Audit:

  1. Sign in to the AWS Management Console.
  2. Navigate to IAM services at https://console.aws.amazon.com/iam/.
  3. Click on the Users in the left navigation pane
    Click on the username that you want to check

    Select the Security Credentials tab and go to the Access keys section

    Under the Access Keys section check the created column to know when the key was created
    If you notice that the key was created before 90 days follow the implementation steps to rotate the keys

Via CLI:

aws iam list-access-keys --user-name ABC


Or you can also use a credential report  

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM servicet https://console.aws.amazon.com/iam/.

  3. Click on the Credential report in the left navigation pane

  4. Click on the download report option given, which lists all your account's users and the status of their various credentials.

  5. This will download a .xls file that contains Access Key usage for all IAM users within an AWS Account - open this file. Focus on the following columns (where x = 1 or 2)

    access_key_X_active 

    access_key_X_last_rotated 

  6. From there you can check the age of the key. If you notice the key age is more than 90 days follow the Implementation steps to rotate.


Remediation:

Pre-requisites

  • Log in as an Administrator to perform the below steps

  • After auditing, if you found any access keys age is 90 days or more then only perform the below steps.


Implementation Steps: 

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM servicet at https://console.aws.amazon.com/iam/.

  3. Click on the Users in the left navigation pane

  4. Click on the username that you want to rotate keys

  5. Select the Security Credentials tab and go to the Access keys section

  6. Make existing access key inactive by clicking on Make Inactive or Delete by clicking on delete

  7. After that click on create access key to create new keys


Via CLI:

aws iam update-access-key --access-key-id <ABCDE> --status Inactive --user-name <ABC>


Backout Plan:

If you lose or forget your secret key, you cannot retrieve it. Instead, create a new access key and make the old key inactive. 


References:

CIS Controls:


16.9 Disable Dormant Accounts 

  • Automatically disable dormant accounts after a set period of inactivity.