Description:

IAM (Identity and Access Management) is an AWS service that helps manage access to AWS resources securely. Access keys are credentials used by IAM users to authenticate API requests and interact with AWS services programmatically. Each user can have a maximum of two active access keys. Having more than one active key can increase the risk of accidental exposure.

Rationale:

Ensuring that IAM users have no more than two active access keys is critical for security best practices. Limiting the number of access keys reduces the risk of compromised keys and ensures better access control. It also aligns with the principle of least privilege by limiting access keys to only what's necessary for users to perform their jobs.

Impact:

If IAM users have more than two active access keys, it could lead to security vulnerabilities, such as:

  • Increased risk of key exposure or misuse.

  • Difficulty in tracking and rotating keys.

  • Non-compliance with best security practices.

Default Value:

By default, AWS allows each IAM user to have two active access keys. However, security best practices recommend rotating keys regularly and ensuring no more than two active keys are in use at any time.

Pre-requisites:

  • Access to AWS Management Console or AWS CLI with the necessary IAM permissions.

  • Knowledge of IAM and Access Key Management best practices.

  • AWS CLI configured 


Remediation

Test Plan:

Using AWS Console:

  1. Sign into AWS Management Console.

  2. Navigate to the AWS IAM Console -> Users.

  3. Select the IAM user for whom you want to check the access keys.

  4. Go to the Security credentials tab.

  5. In the Access keys (access key ID and secret access key) section, check how many active keys the user has.

  6. Ensure that there are no more than two active keys. If more than two active keys are present, deactivate or delete keys as required..

Using AWS CLI:

Use the following AWS CLI command to list all IAM users:

aws iam list-users

For each IAM user, run the following command to list the access keys:

aws iam list-access-keys --user-name <IAM_USER_NAME>

Review the output for each user to ensure no more than two active access keys exist.

If a user has more than two active access keys, rotate or deactivate the excess keys.

Implementation Plan:

Using AWS Console:

  1. Sign into AWS Management Console.

  2. Navigate to the AWS IAM Console -> Users.

  1. Identify IAM users who have more than two active access keys in Security Credentials.

  1. For each affected user, deactivate or delete the excess access keys in Actions.

  1. If necessary, create a new access key and rotate it with the old one.

Using AWS CLI:

Identify IAM users with more than two active access keys.

Run the following AWS CLI command to delete excess keys:

aws iam delete-access-key --access-key-id <ACCESS_KEY_ID> --user-name <IAM_USER_NAME>.

Backout Plan:

If you encounter any issues while modifying the access keys, you can restore access by:

  1. Reactivating the previously deleted access keys (if still valid).

  2. Creating new access keys for the affected users and updating the necessary applications to use the new keys.

  3. Ensure any application using access keys is updated and tested to confirm functionality.

Note :

It is a best practice to rotate access keys periodically, and deactivate or delete old keys once they are no longer in use.

Reference: