Open menu
-->

AWS IAM SSH Public Keys Rotation (30 Days)

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Low (generally tolerable level of risk)

Ensure that all your IAM SSH public keys are rotated every month in order to decrease the likelihood of accidental exposures and protect your AWS CodeCommit repositories against unauthorized access.

This rule resolution is part of the Cloud Conformity Security Package

Rotating periodically the SSH keys assigned to your IAM users will significantly reduce the chances that a compromised set of keys can be used without your knowledge to access your private Git repositories hosted with AWS CodeCommit.

Audit

To determine if your AWS IAM users hold any outdated (older than 30 days) SSH public keys, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Click on the IAM user name that you want to examine.

05 On the IAM user configuration page, select Security Credentials tab.

06 Under SSH keys for AWS CodeCommit section, in the Uploaded column:

Under SSH keys for AWS CodeCommit section, in the Uploaded column

check for any SSH keys older than 30 days with the status set to Active:

check for any SSH keys older than 30 days with the status set to Active

If an active public key is older than 30 days, the key is outdated and needs to be changed in order to secure the access to your private repositories.

07 Repeat steps no. 4 – 6 for each IAM user that you want to examine, available in your AWS account.

Using AWS CLI

01 Run list-users command (OSX/Linux/UNIX) to list all IAM users available within your account:

aws iam list-users
	--query 'Users[*].UserName'

02 The command output should return an array that contains all IAM user names:

[
    "David",
    "John",
    ...
    "Mark"
]

03 Run list-ssh-public-keys command (OSX/Linux/UNIX) using the IAM user name that you want to examine as command parameter to expose the metadata of each SSH public key assigned to the selected IAM user

aws iam list-ssh-public-keys
	--region us-east-1
	--user-name David

04 The command output should return the metadata of each SSH key currently available:

{
    "SSHPublicKeys": [
        {
            "UserName": "David",
            "Status": "Active",
            "SSHPublicKeyId": "APKAJYZYI7KYMA6S25CQ",
            "UploadDate": "2015-07-20T12:35:41Z"
        }
    ]
}

Verify the UploadDate property value for each active SSH key returned to determine its upload date. If the IAM user active SSH public key lifetime is longer than 30 days, the key is outdated and it must be changed (rotated) in order to secure the access to AWS CodeCommit repositories.

05 Repeat steps no. 3 and 4 for each IAM user that you want to examine, available in your AWS account.

Remediation / Resolution

To rotate (change) your outdated IAM SSH public keys, you need to perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Click on the IAM user name that you want to examine.

05 On the IAM user configuration page, select Security Credentials tab.

06 In SSH keys for AWS CodeCommit section, click Upload SSH public key button to initiate the upload process for the new SSH public key, e.g.

click Upload SSH public key button to initiate the upload process for the new SSH public key

key that will replace the old one.

07 Click Upload SSH public key button to upload the new public key to AWS IAM and return to the user configuration page.

08 Click the Close button to close the dialog box and return to the configuration page. The IAM user should have now two active SSH keys.

09 Update your AWS CodeCommit SSH connection configuration by replacing the existing SSH Key ID (e.g., APKAJX7IAROZU5N2OA6Q) with the new key ID, then test the new public key by connecting to the necessary repositories. This test is performed to ensure that the newly added SSH key is working properly.

10 Once the new public key is validated, return to the IAM user configuration page, identify the outdated key and click the Delete link:

identify the outdated key and click the Delete link

to remove it from AWS IAM.

11 In the Delete SSH Key confirmation box, click Delete to remove the selected key.

12 Repeat steps no. 4 – 11 to rotate any outdated SSH public keys assigned to other IAM users available in your AWS account.

Using AWS CLI

01 Run upload-ssh-public-key command (OSX/Linux/UNIX) using the IAM user name and the SSH public key (encoded in ssh-rsa or PEM format) as command parameters to upload the new key to AWS IAM. The following example uploads an SSH public key and associates it with an IAM user named "David":

aws iam upload-ssh-public-key
	--region us-east-1
	--user-name David
	--ssh-public-key-body 'ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAipfY1cM3Scrg5Av57ndpWKc/6Nrb6fi0mkGp6yP96VBAVmIaayxntSQokYCbcIsJvWkN5pPzCINBfM8YHQIvDePyrNC+TmA2t5JWVsUh40FZ8jK6gdlCOQTxLqZSClCgYj1YUsa+hwxfyzGGADTzs726uvSpru0P4CVUm9s6r/SOP9jGmn8r+tiarWf5Kr9+QCMlrajj8/RGr0bdlSWQG9SSh1xlw6/dmy1s1G/sUvD72YiT7hMpYB/perKbcaADLN9Dle4daBT2y8rcfZDqn2+Ml25iZLz+VFzLsos9jmdiImX5+2t0Ry7qak1wVFaAZH3Zkvv9ssGBT58s7wd/kQ== ec2-user@ip-172-35-80-15'

02 The command output should return the uploaded SSH key metadata:

{
    "SSHPublicKey": {
        "UserName": "David",
        "Status": "Active",
        "SSHPublicKeyBody": "ssh-rsa AAAAB ... ec2-user@ip-172-35-80-15",
        "UploadDate": "2016-08-23T18:36:13.242Z",
        "Fingerprint": "f0:b1:8f:4c:d5:4a:db:67:f4:64:4d:c6:b5:6c:a8:4a",
        "SSHPublicKeyId": "APKAIUKDLYNNQMVB6GCA"
    }
}

03 Update your AWS CodeCommit SSH connection configuration by replacing the existing SSH Key ID (e.g., APKAJX7IAROZU5N2OA6Q) with the new key ID returned at the previous step as the value of the SSHPublicKeyId property (highlighted), then test the new public key by connecting to your private repositories. This test is performed to ensure that the new SSH key is working accordingly.

04 Once the new SSH public key is validated, run delete-ssh-public-key command (OSX/Linux/UNIX) to remove the outdated key by using its ID as identifier. The following example deletes an old SSH public key with the ID APKAJX7IAROZU5N2OA6Q, associated with an IAM user named "David" (if successful, the command does not return an output):

aws iam delete-ssh-public-key
	--region us-east-1
	--user-name David
	--ssh-public-key-id APKAJX7IAROZU5N2OA6Q

05 Repeat steps no. 1 – 4 to replace any outdated SSH public keys assigned to other IAM users available in your AWS account.

References

Publication date Aug 24, 2016