Profile Applicability:
Level 1
Description:
AWS access keys (consisting of an access key ID and a secret access key) are used for programmatic access to AWS services. It is recommended that access keys be rotated every 90 days or less to reduce the risk of compromised credentials being used maliciously.
Rationale:
- Reduces security risks: Rotating access keys limits the window in which a compromised key can be used.
- Prevents unauthorized access: Expired or rotated keys cannot be misused by attackers.
- Ensures compliance: Meets security standards such as SOC 2, PCI-DSS, HIPAA, and CIS benchmarks.
Impact
Benefits of Regular Access Key Rotation:
- Minimizes the risk of unauthorized access due to leaked, stolen, or compromised keys.
- Improves security posture and aligns with compliance requirements.
- Reduces exposure of long-lived credentials.
Potential Challenges:
- Failure to update applications after rotation can cause service disruptions.
- Requires operational effort to rotate and validate new keys.
Default Value:
AWS does not enforce automatic key rotation by default.
Users must manually rotate access keys to comply with security best practices.
Pre-Requisites:
AWS Account Access:
IAM user with Administrator privileges or IAM permissions to manage access keys.
Required IAM Permissions:
{
"Action": [
"iam:ListAccessKeys",
"iam:CreateAccessKey",
"iam:UpdateAccessKey",
"iam:DeleteAccessKey"
],
"Effect": "Allow",
"Resource": "*"
}List of Active Access Keys for all IAM users.
Remediation:
Test Plan:
- Ensure that IAM access keys are rotated every 90 days or less.
Using AWS Console:
Login to AWS Console with IAM permissions.
Navigate to IAM Service: AWS IAM Console.
Click on Users in the left navigation panel.
Select a user and go to Security Credentials.
Under Access Keys, review the Created Date of all active access keys.
If an active key is older than 90 days, proceed with rotation.
Using AWS CLI:
Run the following command to generate a credential report:
aws iam generate-credential-report
Retrieve and decode the credential report:
aws iam get-credential-report --query 'Content' --output text | base64 -d
Check the following fields in the report:
access_key_1_last_rotated
access_key_2_last_rotated
If any key is older than 90 days, proceed with remediation.
Implementation Steps:
Using AWS Console:
Login to AWS Console with IAM permissions.
Navigate to IAM Service: AWS IAM Console.
Click Users in the left panel and select a user.
Go to Security Credentials → Access Keys.
Identify active access keys older than 90 days.
Rotate Access Key:
Click Make Inactive for the old key.
Click Create Access Key to generate a new key.
Update application configurations with the new key.
Delete the old key after validation.
Using AWS CLI:
- Create a new access key while keeping the old key active:
aws iam create-access-key --user-name <user-name>
- Update all applications and services to use the new access key.
- Verify that the old access key is no longer in use:
aws iam get-access-key-last-used --access-key-id <old-access-key-id>
- Deactivate the old access key:
aws iam update-access-key --access-key-id <old-access-key-id> --status Inactive --user-name <user-name>
- After confirming all services use the new key, delete the old access key:
aws iam delete-access-key --access-key-id <old-access-key-id> --user-name <user-name>
- Automate access key rotation with a script (optional):
Use AWS Lambda or AWS Systems Manager (SSM) to automatically rotate keys and send notifications when a key is older than 90 days.
Backout Plan:
If access key rotationcauses disruptions:
- Reactivate the old access key temporarily:
aws iam update-access-key --access-key-id <old-access-key-id> --status Active --user-name <user-name>
Investigate why the new key is not working and update configurations.
Ensure the new key is working before deleting the old key.