Profile Applicability:

  • Level 1

Description:

IAM users with console access should not have access keys created during their initial setup. Access keys are used for programmatic access to AWS resources through the AWS CLI, SDKs, or APIs. It is recommended that only users who need programmatic access should have access keys, while users who only require console access should not have access keys created for them by default.

By ensuring that access keys are not created during the initial setup for IAM users with console passwords, you can prevent accidental or unauthorized access to AWS resources through the CLI or other programmatic means.

Rationale:

IAM users with console access do not always need access keys. Creating access keys for users who do not require programmatic access can lead to security risks such as:

  • Unnecessary exposure of AWS resources if access keys are misused or leaked.

  • Lack of visibility into actions taken using access keys, as programmatic access bypasses AWS CloudTrail logging for console activity.

  • Potential for compromised keys, if access keys are accidentally left in configuration files or scripts.

By ensuring that access keys are not created for users with console access by default, organizations can adhere to the principle of least privilege and reduce the attack surface of their AWS environment.

Impact:

Failure to prevent access keys from being created during initial setup for IAM users with console access may result in:

  • Unintended exposure of programmatic access to AWS resources.

  • Increased risk of compromise if access keys are leaked or exposed.

  • Potential violations of compliance and security standards.

Restricting access key creation for IAM users who do not require programmatic access strengthens security by ensuring that only those who need programmatic access have it.

Default Value:

By default, AWS provides the option to create access keys for IAM users when they are created. If no restrictions are implemented, IAM users with console access may also have programmatic access enabled by default.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions to create and manage IAM users and access keys

  • Access to the AWS Management Console or AWS CLI to configure user settings

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM > Users and review the list of IAM users.

  3. For each IAM user with console access, check the Security credentials tab to ensure that access keys were not created during their initial setup.

  4. If access keys are present for users who do not require programmatic access, they should be deleted.

Using AWS CLI:

aws iam list-access-keys --user-name <user-name> --output table

This command will return any access keys associated with the user. If the user has console access but does not require programmatic access, ensure no access keys are listed.

Implementation Plan:

Using AWS Console:

  1. When creating IAM users with console access:

    • During the user creation process, do not select the option to create access keys for users who only need console access.

    • Create the user with console access only and ensure that access keys are not created.

  2. For existing IAM users with access keys:

    • Review IAM users with console access and remove any access keys for users who do not require programmatic access.

    • Go to IAM > Users > > Security credentials and click Delete for any existing access keys.

Using AWS CLI:

  1. When creating IAM users with console access:

    • Create IAM users without access keys for those who only need console access:

aws iam create-user --user-name <user-name>

  • Only create access keys if the user requires programmatic access:

aws iam create-access-key --user-name <user-name>

  1. For existing IAM users with access keys:

    • To remove unnecessary access keys for users who only require console access:

aws iam delete-access-key --user-name <user-name> --access-key-id <access-key-id>

Backout Plan:

Using AWS Console:

  1. If access keys were mistakenly created for users who don’t require programmatic access:

    • Sign in to the IAM Console and go to Users > > Security credentials.

    • Delete the access keys under the Access keys section.

  2. If users require programmatic access after initially being set up with console access only:

    • Add access keys back for the user if necessary by going to Security credentials and selecting Create access key.

Using AWS CLI:

  1. If access keys were mistakenly created for users:

    • Use the following command to delete the unnecessary access keys:

aws iam delete-access-key --user-name <user-name> --access-key-id <access-key-id>

  1. If users need programmatic access after initially being set up with console access only:

    • Recreate the access keys using the following command:

aws iam create-access-key --user-name <user-name>


References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.5

Implement Strong Authentication for All Users

CIS v8

4.6

Secure Authentication Methods for Cloud Accounts

CIS v7

4.3

Enforce Strong Passwords and Access Control Policies