Profile Applicability: Level 1


Description

Access keys are long-term credentials for an IAM user, You can use access keys to sign programmatic requests to the AWS CLI or AWS API. Some time many access keys generate unnecessarily, this unnecessary credentials also generate unnecessary management work in auditing and rotating these keys.


Rationale

Requiring that additional steps be taken by the user after their profile has been created will give a stronger indication of intent that access keys are:

  • Necessary for their work

  • Once the access key is established on an account that the keys may be in use somewhere in the organization.

Note: Even if it is known the user will need access keys, require them to create the keys themselves, or put a support ticket to have the created as a separate step from user creation.


Impact:

All IAM users have a console password with an access key by controlling their privileges, which helps you to maintain a secure AWS environment. These privileges are necessary to perform the assigned task. Application users should use only access keys to programmatically access data in AWS.


Default Value:

When we create an IAM user AWS provides a facility to set a checkbox (Programmatic access) for creating access key enabled

If we tickmark on the check box of Programmatic access it automatically generates the access key you can see in below pic

If we will not click on the check box of Programmatic access it will not enable the access key automatically.


Audit:

Via AWS Console

Step 1: Log in to the AWS Management Console

Step 2: Navigate to IAM service https://console.aws.amazon.com/iam/

Step 3: Click on Users in the left navigation pane.

Step 4: In the table see the access key for the user is created or not 

There is None for a user in the above pic it means for this user no access key generate


Via CLI:

Step 1: List out all IAM users within your account by using the below command

aws iam list-users --query 'Users[*].UserName'

Step 2: To list out the access key of a user using the IAM user name that you want to examine 

aws iam list-access-keys --user-name < name of IAM user>


Remediation:

Pre-Requisite:

  • If you want to create access keys for all the IAM users you need Admin access

  • By creating keys you are giving programmatic access to user


Implementation Steps:

Perform the following Steps access key:-

Step 1: Log in to the AWS Management Console 

Step 2: Navigate to IAM service https://console.aws.amazon.com/iam/

Step 3: Click on Users in the left navigation pane

Step 4: Click on the User name

Step 5: Click on the Security credentials tab

Step 6: Scroll down and go to the Access Key column and click on  Create access key button


Via CLI:

Step 1:  Follow the step to create an access key for an IAM user

aws iam create-access-key --user-name < Name of User> 



Backout Plan:

Follow the steps to remove the access key:

Step 1: Log in to the AWS Management Console 

Step 2: Navigate to IAM service https://console.aws.amazon.com/iam/

Step 3: Click on Users in the left navigation pane

Step 4: Click on the User name 

Step 5: Click on the Security credentials tab

Step 6: Click on Make inactive and then if you want to remove it then click on the cross button

Via CLI:

Step 1: Use the following command to delete an access key for an IAM user

aws iam delete-access-key --user-name < name of IAM user> --access-key-id <access_key_id>


References:

  1. Managing access keys for IAM users - AWS Identity and Access Management 

  2. Create an access key for an IAM user - AWS Command Line Interface