Profile Applicability
Level 1
Description:
To reduce the risk of compromised credentials and ensure better control over IAM user access, AWS best practices recommend that each IAM user should only have one active access key at any given time. Multiple active access keys for a single IAM user can increase the risk of unauthorized access and complicate the management of access keys, especially if older keys are forgotten or left active.
This control ensures that there is only one active access key per IAM user and that any additional access keys are either disabled or deleted.
Rationale:
Having more than one active access key for any IAM user increases the potential attack surface, as:
Multiple access keys can lead to confusion about which key is actively being used, potentially leaving unused keys vulnerable to compromise.
Old or unmonitored access keys might remain active, presenting a security risk if they are forgotten or not regularly reviewed.
By limiting IAM users to only one active access key, you can reduce the risk of keys being exposed or misused. Additionally, this simplifies the process of auditing, managing, and rotating access keys.
Impact:
Failure to enforce this policy can result in:
Increased risk of key exposure or compromise.
Difficulty tracking which access key is being actively used by IAM users.
Complicated key rotation processes.
By enforcing only one active access key per user, the organization reduces the complexity and increases the security of key management.
Default Value:
By default, IAM users can have up to two active access keys. AWS does not automatically enforce the one-key-per-user rule, and this must be configured manually or via automation.
Pre-Requisites:
AWS CLI installed and configured
IAM permissions to view and manage IAM access keys
Access to the AWS Management Console or AWS CLI to configure key management policies
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to IAM > Users.
For each IAM user, go to the Security credentials tab and review the number of access keys listed.
Ensure that there is only one active access key for each IAM user.
If there are multiple active keys, delete or deactivate the additional keys.
Using AWS CLI:
aws iam list-access-keys --user-name <user-name> --query "AccessKeyMetadata[?Status=='Active'].AccessKeyId" --output table
This command will return the list of active access keys for the specified IAM user. Ensure that the list contains only one active key.
Implementation Plan:
Using AWS Console:
Review IAM users:
Go to IAM > Users > <IAM user> > Security credentials.
Check for any users with more than one active access key.
Disable or delete additional access keys:
If multiple keys are found, disable or delete the extra keys.
Select Delete for the additional access keys to ensure only one active key is associated with the user.
Using AWS CLI:
aws iam update-access-key --user-name <user-name> --access-key-id <access-key-id> --status Inactive
To delete additional access keys:
aws iam delete-access-key --user-name <user-name> --access-key-id <access-key-id>
Ensure that only one active access key remains for each IAM user.
Backout Plan:
Using AWS Console:
If you accidentally delete an active access key:
Sign in to the IAM Console and go to Users > <IAM user> > Security credentials.
Create a new access key for the user if required.
If key deletion causes issues for users:
Reactivate any necessary access keys by going to the Security credentials tab and clicking Activate for any disabled keys.
Using AWS CLI:
If access keys were mistakenly deleted:
Use the following command to create a new access key:
aws iam create-access-key --user-name <user-name>
If access key management caused disruption:
Use the following command to reactivate a previously deactivated access key:
aws iam update-access-key --user-name <user-name> --access-key-id <access-key-id> --status Active