Profile Applicability: Level 1


Description:

Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. 


Rationale:

Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.


Impact:

By rotating access keys every 90 days, you can make your AWS account more secure and reliable.


Default Value:

By default AWS will not rotate keys at any time, we need to do it periodically.


Audit:

Perform the following to determine if unused credentials exist: 

  • Sign in to the AWS Management Console.
  • Navigate to IAM services https://console.aws.amazon.com/iam/.
  • Click on the Users in the left navigation pane
    Click on the username that you want to check

    Select the Security Credentials tab and go to the Access keys section

    Under the Access Keys section check the created column to know when the key was created
    Ensure all active keys have been rotated within 90 days 


Or you can also use credential report  

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM servicet https://console.aws.amazon.com/iam/.

  3. Click on the Credential report in the left navigation pane

  4. Click on the download report option given, which lists all your account's users and the status of their various credentials.

  5. This will download a .xls file that contains Access Key usage for all IAM users within an AWS Account - open this file. Focus on the following columns (where x = 1 or 2)

    access_key_X_active 

    access_key_X_last_rotated 

  6. From there you can check the age of the key. If you notice the key age is more than 90 days follow the Implementation steps to rotate.


Remediation:

Pre-requisites

  • Log in as an Administrator to perform the below steps

  • Approval Required from the client for remediation of the task

  • After auditing, if you found any access keys age is 90 days or more then only perform the below steps.


Implementation Steps

Perform the following to remove or deactivate credentials: 

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM servicet https://console.aws.amazon.com/iam/.

  3. Click on the Users in the left navigation pane

  4. Click on the username that you want to rotate keys

  5. Select the Security Credentials tab and go to the Access keys section

  6. Make existing access key inactive by clicking on Make Inactive or Delete by clicking on delete

  7. After that click on create access key to create new keys

CLI Remediation

  1. To determine when an access key was most recently used:  aws iam get-access-key-last-used

  2. To disable or reenable an access key:  aws iam update-access-key

  3. To create an access key:  aws iam create-access-key

  4. To list a user's access keys:  aws iam list-access-keys

  5. To delete an access key: aws iam delete-access-key


Backout Plan

If you lose or forget your secret key, you cannot retrieve it. Instead, create a new access key and make the old key inactive. 


References:

CIS Controls:

16.9 Disable Dormant Accounts 

  • Automatically disable dormant accounts after a set period of inactivity.