iCompaas Support

 Profile Applicability: 

• Level 1

Description:
 Ensure that AWS IAM access keys are rotated regularly to limit the risk of credential compromise and unauthorized access. AWS does not automatically rotate access keys, so it must be managed manually or with automation.

Rationale:
 Access keys provide programmatic access to AWS services. If compromised, they can allow unauthorized actions. Regular rotation reduces the risk exposure from lost or stolen credentials.

Impact:
 If credentials are exposed, rotation limits the time frame in which they can be exploited. However, poorly managed key updates may cause service disruptions in dependent systems if not updated promptly.

Default Value:
 Access keys do not rotate by default.

Pre-requisites:

• IAM user with access keys
  

• Permissions to list, create, and delete IAM access keys
  

Remediation:

Test Plan

Using AWS Console:

1. Sign in to the AWS Management Console
   

2. Navigate to IAM
   

3. Click Users
   

4. Select a user
   

5. Go to the Security credentials tab
   

6. Review the Create date and Last used date of the access keys
   

7. Check if any key exceeds the recommended age (e.g., 90 days)
   

Using AWS CLI:

1. List access keys for a user
   

    aws iam list-access-keys --user-name <username>

   
   

2. Review the CreateDate for each key to identify aged keys
   

Implementation Plan

Using AWS Console:

1. Sign in to the AWS Management Console
   

2. Navigate to IAM
   

3. Click Users and select the target user
   

4. Go to the Security credentials tab
   

5. Click Create access key to generate a new key pair
   

6. Save the new access key and secret securely
   

7. Update all systems/applications to use the new key
   

8. Once validated, disable or delete the old key
   

Using AWS CLI:

1. Create a new access key
   

    aws iam create-access-key --user-name <username>

   
   

2. Update the application or service to use the new key
   

3. Validate that everything works as expected
   

4. Delete the old access key
   

    aws iam delete-access-key --user-name <username> --access-key-id <old-access-key-id>

   
   

Backout Plan

Using AWS Console:

1. If the new key causes issues, revert the app/service to use the old key
   

2. Re-enable the old key if previously disabled
   

Using AWS CLI:

1. Re-enable the old access key
   

    aws iam update-access-key --user-name <username> --access-key-id <old-access-key-id> --status Active

   
   

References:

• https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
  

• CIS AWS Database Services Benchmark v1.0.0, Section 2.7