Profile Applicability:

Level 1

Description:

AWS IAM users can have access keys to authenticate API requests via the AWS CLI, SDKs, or direct API calls. To reduce security risks, IAM users should not have multiple active 

Rationale:

  • Reduces security risk from stale or forgotten access keys.

  • Prevents credential duplication, reducing the risk of accidental exposure.

  • Limits access scope, ensuring compromised keys are easier to revoke.

  • Encourages key rotation, ensuring long-term security.

Impact:

  • Multiple active access keys increase the risk of credential leakage.

  • Compromised unused keys can be exploited without detection.

  • Poor access key management violates security compliance requirements (SOC 2, ISO 27001, PCI-DSS).

Default Value:

By default, AWS allows each IAM user to have up to two access keys.

  • This permits multiple active keys, increasing security risks.

  • AWS does not enforce automatic key rotation or expiration.

Pre-Requisites:

  1. IAM Administrator Access:

    • Required permissions: iam:ListUsers, iam:ListAccessKeys, iam:UpdateAccessKey, iam:DeleteAccessKey.

  2. Access to AWS CloudTrail (optional):

    • To monitor access key creation and usage.

  3. IAM Policy Enforcement:

    • Implement AWS Organizations Service Control Policies (SCPs) to restrict IAM users to a single active access key.

Remediation:

Test Plan:

Using Console Steps:

  1. Login to the AWS Console as an IAM Administrator.

  2. Open the IAM Console → Click Users.

                     

  1. Click on an IAM user's name → Go to the Security Credentials tab.                    

  1. Under Access Keys, check the Status column:

    • If the user has more than one active access key, they are non-compliant.

           

  1. Repeat for each IAM user.

Using Command Line  Steps:

  • List all IAM users:
 aws iam list-users --query "Users[*].UserName"
  • Check access keys for each IAM user:
 aws iam list-access-keys --user-name <user-name>

  1. Review the output:

    • If an IAM user has more than one access key with "Status": "Active", they are non-compliant.

  2. Repeat for all IAM users.

Implementation Steps:

Step 1: Identify and Retain a Single Active Access Key

  • Retain only one active access key for each IAM user.

  • If both keys are required, rotate the older key and delete the second one.

Using AWS Console Steps

  1. Login to AWS Console as an IAM Administrator.

  2. Open IAM Console → Click Users.

                       

  1. Click on an IAM user’s name → Go to the Security Credentials          

  2. Under Access Keys, select:

    • One key to keep (less than 90 days old).

    • Deactivate and delete all other keys

  3. Click Make Inactive → Click Deactivate.                         

  4. Delete all unused access keys.

                           

Using Command Line Steps

  • List IAM user's access keys:
 aws iam list-access-keys --user-name <user-name>
  • Deactivate and delete non-essential access keys:
aws iam update-access-key --access-key-id <access-key-id> --status Inactive --user-name <user-name>
aws iam delete-access-key --access-key-id <access-key-id> --user-name <user-name>
  • Confirm that only one key remains active:
 aws iam list-access-keys --user-name <user-name>

Backout Plan:

  • If an IAM user requires a second active access key: Temporarily allow multiple keys by modifying IAM policies.
  • Rotate access keys before deletion:
 aws iam create-access-key --user-name <user-name>

  • Re-enable multiple active keys temporarily if required.

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

5.1

Maintain an inventory of IAM accounts and access keys.

CIS v7

16.1

Track authentication systems and credentials.