Profile Applicability:

Level 1

Description:
When creating an IAM user, AWS provides the option to enable:

  • Programmatic access: Generates an access key (Access Key ID & Secret Access Key).

  • AWS Management Console access: Generates a console password for user login.

To enforce least privilege and reduce security risks, access keys should not be created during initial user setup.
 Instead, IAM users should explicitly request access keys only when needed.

Rationale:

  • Reduces attack surface by preventing unnecessary credentials.

  • Encourages explicit intent when requesting programmatic access.

  • Prevents unused access keys from remaining active and unmonitored.

  • Reduces risk of credential leakage in logs, repositories, or shared environments.

Impact:

  • Failure to restrict access key creation during IAM user setup increases the risk of credential exposure.

  • IAM users may receive access keys they do not need, increasing the potential for security misconfigurations.

  • Unused access keys may remain active indefinitely, creating an unmonitored attack vector.

Default Value:

By default, AWS does not create access keys for new IAM users. However, administrators can manually enable access keys during user creation.

Pre-Requisites:

  1. IAM Administrator Access:

    • Permissions required: iam:ListUsers, iam:ListAccessKeys, iam:DeleteAccessKey.

  2. IAM Policy Enforcement:

    • Implement an IAM policy to restrict access key creation during user setup.

  3. CloudTrail Monitoring:

    • Configure AWS CloudTrail to log IAM access key creation events.

Remediation:

Test Plan:

Using AWS Console:

  1. Login to the AWS Console as an IAM Administrator.

  2. Navigate to IAM Console → Click Users.

                         

  1. Identify users with both:

    • Password Age (indicating console access).

    • Access Key Age (indicating programmatic access).

                       

                     


  1. Click on each user’s Security Credentials tab and compare:

    • User Creation Date vs Access Key Created Date.

  2. If an IAM user's Access Key Creation Date matches their User Creation Date, they were issued an access key during setup.

Using AWS Command Line :

Generate a credential report:

 aws iam generate-credential-report

Retrieve and process the credential report:

aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,9,11,14,16

Identify unused access keys created during user setup:

user,password_enabled,access_key_1_active,access_key_1_last_used_date,access_key_2_active,access_key_2_last_used_date
elise,false,true,2015-04-16T15:14:00+00:00,false,N/A
brandon,true,true,N/A,false,N/A
rakesh,false,false,N/A,false,N/A
helene,false,true,2015-11-18T17:47:00+00:00,false,N/A
paras,true,true,2016-08-28T12:04:00+00:00,true,2016-03-04T10:11:00+00:00
anitha,true,true,2016-06-08T11:43:00+00:00,true,N/A
  • If an IAM user has password_enabled=true and access_key_last_used_date=N/A, the access key was never used and should be deleted.

Implementation Steps:

Step 1: Delete Unused Access Keys via Console

  1. Login to AWS Console as an IAM Administrator.

  2. Go to IAM Console → Click Users.

                       

  1. Click on the IAM user’s name → Go to Security Credentials tab.

                 

  1. Identify unused access keys (those that match the User Creation Date but show no usage).

  2. Click Delete (X) to remove unused access keys.

                     

Step 2: Delete Unused Access Keys via CLI

  • List all access keys for an IAM user:
 aws iam list-access-keys --user-name <user-name>
  • Delete each unused access key:
 aws iam delete-access-key --user-name <user-name> --access-key-id <access-key-id>
  • Verify that all unused access keys are removed:
 aws iam list-access-keys --user-name <user-name>
  • If an access key was mistakenly deleted, follow these steps:Regenerate a new access key for the affected IAM user:
     aws iam create-access-key --user-name <user-name>

  1. Securely store the new access key in a password manager.

  2. Communicate the change to the IAM user.

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

6.1

Establish an access granting process for new users.

CIS v8

6.2

Establish an access revocation process for unused credentials.

CIS v7

16.1

Maintain an inventory of authentication systems.