Profile Applicability:
Level 2
Description:
IAM (Identity and Access Management) in AWS allows you to manage access to AWS services and resources securely. IAM users can be assigned access keys, which are used to authenticate API requests. These keys are associated with specific user accounts and can be used to perform tasks programmatically. Unused access keys that remain active increase the risk of security breaches and should be disabled to minimize the potential for unauthorized access.
Rationale:
Disabling unused access keys ensures that only active, authorized keys are being used to interact with AWS services. Leaving unused keys active can create unnecessary security vulnerabilities, as these keys may be compromised or misused. Regularly reviewing and disabling unused access keys aligns with security best practices, reduces potential attack surfaces, and ensures compliance with the principle of least privilege.
Impact:
If unused access keys are not disabled:
Unused or compromised keys could be exploited by unauthorized users.
The risk of accidental or malicious use of inactive keys increases.
Security best practices may not be followed, leading to potential security incidents or non-compliance with frameworks like SOC 2, ISO 27001, etc.
Default Value:
By default, IAM access keys remain active until manually deactivated. There is no automatic expiration or disabling of unused keys unless configured. It is essential to periodically review and deactivate unused access keys.
Pre-requisites:
Access to AWS Management Console or AWS CLI with the necessary IAM permissions.
Knowledge of how to manage IAM user access keys.
Regular monitoring and audits of IAM user access keys.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Users in AWS IAM console.
Navigate to IAM > Users in the AWS Management Console.
Select each IAM user and go to the Security credentials tab.
Review the list of access keys for each user. Check the Last used date for each access key.
If an access key is not used for a specified period, disable it.
Document all changes made for auditing purposes.
Using AWS CLI:
List all IAM users:
aws iam list-users
For each user, list their access keys:
aws iam list-access-keys --user-name <USER_NAME>
Check the CreateDate and LastUsed values for each key.
Disable any access keys that have not been used:
aws iam update-access-key --user-name <USER_NAME> --access-key-id <ACCESS_KEY_ID> --status Inactive
Implementation Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Users in AWS IAM console.
Review the Security credentials tab for each user.
Identify any unused access keys by checking the Last used in Access keys tab date(Not More than 90 Days).
Disable access keys that are no longer in use by selecting Disable next to the unused key.
Ensure that only active keys are used for API requests.
Using AWS CLI:
Use to retrieve all IAM users.
aws iam list-users
For each user, use to list all access keys.
aws iam list-access-keys
For unused keys, disable them by running:
aws iam update-access-key --user-name <USER_NAME> --access-key-id <ACCESS_KEY_ID> --status Inactive
Backout Plan:
Using AWS Console:
If disabling or deleting an access key causes issues, sign in to the AWS Management Console.
Navigate to IAM and select the user.
Go to the Access Keys section and re-enable the disabled key if necessary or create a new key for the user.
Using AWS CLI:
If you need to re-enable a disabled access key, run the following:
aws iam update-access-key --access-key-id <ACCESS_KEY_ID> --status Active --user-name <USER_NAME>
Verify that the access key is now active:
aws iam get-access-key-last-used --access-key-id <ACCESS_KEY_ID>
Reference:
CIS Controls: