Description:

Access keys consist of an access key ID and secret access key, which are used to sign in into AWS. AWS users need their access keys to make API calls to AWS from the AWS Command Line Interface (AWS CLI). Access keys consist of two parts: an access key ID  and a secret access key Like a user name and password, you must use both the access key ID and secret access key together to authenticate your requests. Manage your access keys as securely as you do your user name and password.

Rationale:

AWS allows you to assign a maximum of two active access keys, but this is recommended only during the key rotation process. Deactivating the old key once the new one is created so only one access key will remain active for the IAM user.


Impact:

Do not provide your access keys to a third party, By doing this, you might give someone permanent access to your account. And removing the unused access keypair will reduce the risk factor. 


Default Value:

When you create an access key pair, save the access key ID and secret access key in a secure location. The secret access key is available only at the time you create it. If you lose your secret access key, you must delete the access key and create a new one.


Pre-requisites

  • Log in as an Administrator to perform the below steps

  • After auditing, if you found two access keys are active, then only perform the below steps.

Remediation:

Test Plan:

  1. Sign in to the AWS Management Console.

  2. Navigate to IAMthe dashboard at https://console.aws.amazon.com/iam/.

  3. In the left navigation panel, choose Users.

  4. Click on the IAM user name that you want to examine.

  5. On the IAM user configuration page, select the Security Credentials tab.

  6. Under the Access Keys section, in the Status column, If you find two access keys in Active follow the Implementation steps 


Using AWS CLI:

aws iam list-access-keys --user-name (your username)

Implementation Steps:

  1. Sign in to the AWS Management Console.

  2. Navigate to the IAM dashboard at https://console.aws.amazon.com/iam/.

  3. In the left navigation panel, choose Users.

  4. Click on the IAM user name that you want to modify.
  5. On the IAM user configuration page, select the Security Credentials tab.
  6. In the Access Keys section, choose one access key that will be used to provide access to the AWS account, Test your account in the command prompt to make sure that the chosen access key is working.
  7. In the same Access Keys section, identify your non-operational access key (other than the chosen one) and deactivate it by clicking the Make Inactive 

In the Change Key Status confirmation box, click Deactivate to switch off the selected key.
 Using AWS CLI:

aws iam update-access-key --access-key-id AAAABBBBCCCCDD  --status Inactive --user-name (your username)


Backout plan:

You cannot back up the deactivated access key but can create a new access key.  

References:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html?icmpid=docs_iam_console