Profile Applicability:
Level 1
Description:
When creating an IAM user, AWS provides the option to enable:
Programmatic access: Generates an access key (Access Key ID & Secret Access Key).
AWS Management Console access: Generates a console password for user login.
To enforce least privilege and reduce security risks, access keys should not be created during initial user setup.
Instead, IAM users should explicitly request access keys only when needed.
Rationale:
Reduces attack surface by preventing unnecessary credentials.
Encourages explicit intent when requesting programmatic access.
Prevents unused access keys from remaining active and unmonitored.
Reduces risk of credential leakage in logs, repositories, or shared environments.
Impact:
Failure to restrict access key creation during IAM user setup increases the risk of credential exposure.
IAM users may receive access keys they do not need, increasing the potential for security misconfigurations.
Unused access keys may remain active indefinitely, creating an unmonitored attack vector.
Default Value:
By default, AWS does not create access keys for new IAM users. However, administrators can manually enable access keys during user creation.
Pre-Requisites:
IAM Administrator Access:
Permissions required: iam:ListUsers, iam:ListAccessKeys, iam:DeleteAccessKey.
IAM Policy Enforcement:
Implement an IAM policy to restrict access key creation during user setup.
CloudTrail Monitoring:
Configure AWS CloudTrail to log IAM access key creation events.
Remediation:
Test Plan:
Using AWS Console:
Login to the AWS Console as an IAM Administrator.
Navigate to IAM Console → Click Users.
Identify users with both:
Password Age (indicating console access).
Access Key Age (indicating programmatic access).
Click on each user’s Security Credentials tab and compare:
User Creation Date vs Access Key Created Date.
If an IAM user's Access Key Creation Date matches their User Creation Date, they were issued an access key during setup.
Using AWS Command Line :
Generate a credential report:
aws iam generate-credential-report
Retrieve and process the credential report:
aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,9,11,14,16
Identify unused access keys created during user setup:
user,password_enabled,access_key_1_active,access_key_1_last_used_date,access_key_2_active,access_key_2_last_used_date elise,false,true,2015-04-16T15:14:00+00:00,false,N/A brandon,true,true,N/A,false,N/A rakesh,false,false,N/A,false,N/A helene,false,true,2015-11-18T17:47:00+00:00,false,N/A paras,true,true,2016-08-28T12:04:00+00:00,true,2016-03-04T10:11:00+00:00 anitha,true,true,2016-06-08T11:43:00+00:00,true,N/A
- If an IAM user has password_enabled=true and access_key_last_used_date=N/A, the access key was never used and should be deleted.
Implementation Steps:
Step 1: Delete Unused Access Keys via Console
Login to AWS Console as an IAM Administrator.
Go to IAM Console → Click Users.
Click on the IAM user’s name → Go to Security Credentials tab.
Identify unused access keys (those that match the User Creation Date but show no usage).
Click Delete (X) to remove unused access keys.
Step 2: Delete Unused Access Keys via CLI
- List all access keys for an IAM user:
aws iam list-access-keys --user-name <user-name>
- Delete each unused access key:
aws iam delete-access-key --user-name <user-name> --access-key-id <access-key-id>
- Verify that all unused access keys are removed:
aws iam list-access-keys --user-name <user-name>
- If an access key was mistakenly deleted, follow these steps:Regenerate a new access key for the affected IAM user:
aws iam create-access-key --user-name <user-name>
Securely store the new access key in a password manager.
Communicate the change to the IAM user.
References:
AWS IAM Access Key Best Practices: AWS Guide
AWS IAM Access Key Deletion CLI: AWS CLI Docs
AWS IAM User Creation Guide: AWS Documentation