Profile Applicability:
Level 1

Description:
This control ensures that IAM users who have console access (a username and password) are not provisioned with access keys (used for programmatic access) during their initial account setup, unless specifically required. By default, access keys allow direct API and CLI access to AWS resources. Enforcing this control minimizes credential exposure, reduces unnecessary permissions, and aligns with the principle of least privilege.

Rationale:
IAM users with both console and programmatic access are at higher risk of credential compromise, key leakage, or unauthorized API activity. Preventing the automatic creation of access keys for users who only require console access ensures that programmatic credentials are only granted when justified. This helps mitigate security risks associated with stale, misused, or leaked access keys and aligns with compliance frameworks such as CIS, SOC 2, ISO 27001, and NIST 800-53.

Impact:
Positive Impact: Reduces attack surface and prevents accidental or unnecessary exposure of AWS programmatic credentials, improving overall security posture.
Negative Impact: Users who legitimately require API/CLI access may need to request key creation through a controlled process, adding a small administrative overhead.

Default Value:
By default, IAM allows the creation of both console passwords and access keys during user setup.

Pre-Requisite:

  • IAM permissions required: iam:ListUsers, iam:ListAccessKeys, iam:GetLoginProfile.

  • Clearly defined process for granting API access only to users or applications that require it.

Test Plan 
Using AWS Console:

  1. Sign in to the AWS Management Console using an IAM account with administrative privileges.

  2. Navigate to IAM → Users.

  3. For each user:

    • Check the Console access column (indicating if a password is assigned).

    • Click the username → Security credentials tab.

    • Check if Access keys exist.

  4. Identify any IAM users that have both console access and access keys.

  5. If a user with a console password has active access keys created during initial setup, the account is non-compliant.

Implementation Plan 
Using AWS Console:

  1. Navigate to IAM → Users.

  2. Identify users who have both console password access and access keys.

  3. For users who do not require API/CLI access:

    • Select the user → Security credentials tab.

    • Under Access keys, choose Deactivate or Delete for each key.

  4. For future user creation:

    • During user setup, when selecting Provide user access, enable AWS Management Console access only.

    • Leave Access key - Programmatic access unchecked.

  5. Implement a standard operating procedure (SOP) to:

    • Create separate IAM users for console-only access and API-only access.

    • Use IAM roles for programmatic access instead of long-term access keys where possible.

Backout Plan:

  1. If an application or script fails after removing an access key, temporarily recreate the key for that specific use case.

  2. Transition to using IAM roles or temporary credentials (via AWS STS) to avoid long-term access key usage.

References: