Profile Applicability: Level 1
Description:
Access keys are long-term credentials for an IAM user, You can use access keys to sign programmatic requests to the AWS CLI or AWS API. Some time many access keys generate unnecessarily, this unnecessary credentials also generate unnecessary management work in auditing and rotating these keys.
Rationale:
Requiring that additional steps be taken by the user after their profile has been created will give a stronger indication of intent that access keys are:
Necessary for their work
Once the access key is established on an account that the keys may be in use somewhere in the organization.
Note: Even if it is known the user will need access keys, require them to create the keys themselves, or put a support ticket to have the created as a separate step from user creation.
Impact:
All IAM users have a console password with an access key by controlling their privileges, which helps you to maintain a secure AWS environment. These privileges are necessary to perform the assigned task. Application users should use only access keys to programmatically access data in AWS.
Default Value:
When we create an IAM user AWS provides a facility to set a checkbox (Programmatic access) for creating access key enabled.
If we checkmark on the check box of Programmatic access it automatically generates the access key.
If we will not click on the check box of Programmatic access it will not enable the access key automatically.
Pre-Requisite:
If you want to create access keys for all the IAM users you need Admin access
By creating keys you are giving programmatic access to user
Remediation:
Test Plan:
- Log in to the AWS Management Console
- Navigate to IAM service https://console.aws.amazon.com/iam/
- Click on Users in the left navigation pane.
- In the table see the access key for the user is created or not
- There is None for a user in the above pic it means for this user no access key generate
Using AWS CLI:
List out all IAM users within your account by using the below command
aws iam list-users --query 'Users[*].UserName'
To list out the access key of a user using the IAM user name that you want to examine
aws iam list-access-keys --user-name < name of IAM user>
Implementation Steps:
Perform the following Steps access key:-
- Log in to the AWS Management Console.
- Navigate to IAM service https://console.aws.amazon.com/iam/.
- Click on Users in the left navigation pane.
- Click on the User name.
- Click on the Security credentials tab.
- Scroll down and go to the Access Key column and click on Create access key button.
Using AWS CLI:
- Follow the step to create an access key for an IAM user
aws iam create-access-key --user-name < Name of User>
Backout Plan:
- Follow the steps to remove the access key:
- Follow the implementation steps upto 5 steps
- Click on Deactivate if you want to make it inactive.
Using AWS CLI:
- Use the following command to delete an access key for an IAM user
aws iam delete-access-key --user-name < name of IAM user> --access-key-id <access_key_id>