Profile Applicability

  • Level 1

Description:

IAM access keys should be rotated regularly to reduce the risk of credential compromise. The best practice is to rotate access keys every 90 days or less to ensure that any potentially compromised keys are no longer valid and to maintain a high level of security for AWS environments.

This control ensures that IAM access keys are rotated within the specified timeframe, reducing the risk of unauthorized access to AWS resources.

Rationale:

Regularly rotating IAM access keys is a fundamental security practice. The risks of not rotating access keys include:

  • Compromised keys: If an access key is compromised, it can be used to gain unauthorized access until detected. Regular key rotation minimizes the window of opportunity for an attacker.

  • Credential leakage: If keys are hardcoded into scripts or applications, there is a risk of unintentional exposure. Regular rotation ensures that old keys do not remain valid for too long.

  • Compliance: Various industry standards and compliance frameworks require regular key rotation (e.g., SOC 2, PCI DSS).

By enforcing access key rotation every 90 days or less, organizations improve security and ensure they are compliant with best practices.

Impact:

Failure to rotate access keys every 90 days can lead to:

  • Increased risk of unauthorized access if keys are compromised or leaked.

  • Difficulty in managing access and tracking old keys.

  • Non-compliance with security standards or best practices.

By automating key rotation, the organization can reduce human error and ensure a consistent level of security across all IAM users and services.

Default Value:

AWS does not automatically rotate access keys. Key rotation must be manually managed or automated using policies, IAM roles, or custom automation.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions to manage IAM users and access keys

  • Access to the AWS Management Console or AWS CLI to configure and manage key rotation

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM > Users.

  3. For each IAM user, go to the Security credentials tab and check the Last used date for each access key.

  4. Verify that each IAM user’s access key has been rotated within the last 90 days.

  5. If access keys have not been rotated, initiate the key rotation process.

Using AWS CLI:

aws iam get-access-key-last-used --access-key-id <access-key-id> --output table

This command will return the date of the last use for the access key. Ensure that it is within the last 90 days.

Implementation Plan:

Using AWS Console:

  1. Review IAM users:

    • Go to IAM > Users and check the Last used date for each user’s access keys.

    • If the access key has not been rotated in the last 90 days, initiate a new key rotation process for that user.

  2. Rotate access keys:

    • In the Security credentials tab, click Create access key to generate a new access key for the user.

    • Delete or deactivate the old access key once the new key is active.

Using AWS CLI:

  1. To rotate an access key for an IAM user:

    • Create a new access key:

aws iam create-access-key --user-name <user-name>

  • Deactivate or delete the old access key after the new key is created:

aws iam delete-access-key --user-name <user-name> --access-key-id <old-access-key-id>

  1. Ensure key rotation is performed every 90 days:

    • Automate the process using AWS Lambda or an automation tool like AWS Systems Manager to check and rotate access keys every 90 days.

Backout Plan:

Using AWS Console:

  1. If key rotation causes issues for users:

    • In the IAM Console, go to Users > <IAM user> > Security credentials.

    • Re-enable or recreate the old access key if needed, ensuring it works with the user’s applications and scripts.

  2. If the new access key does not work properly:

    • Ensure the new access key is correctly configured in the user’s environment (CLI, SDK, application, etc.).

    • If necessary, delete the new key and reactivate the old key temporarily while troubleshooting.

Using AWS CLI:

  1. If access key rotation causes issues:

    • If a newly created access key causes disruption, use the following command to deactivate it:

aws iam update-access-key --user-name <user-name> --access-key-id <new-access-key-id> --status Inactive

  • Re-enable or recreate the old access key:

aws iam update-access-key --user-name <user-name> --access-key-id <old-access-key-id> --status Active

  1. Revert to the previous key if necessary:

    • Delete any new keys that may have caused issues and re-enable the previous active key.

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.5

Implement Strong Authentication for All Users

CIS v8

4.6

Secure Authentication Methods for Cloud Accounts

CIS v7

4.4

Ensure IAM Policies are Configured for Least Privilege