Open menu
-->

AWS IAM SSH Public Keys Rotation (90 Days)

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (act today)

Ensure that all your IAM SSH public keys are rotated every 90 days in order to decrease the likelihood of accidental exposures and protect your AWS CodeCommit repositories from unauthorized access.

This rule resolution is part of the Cloud Conformity Base Auditing Package

Rotating periodically the SSH keys assigned to your IAM users will significantly reduce the chances that a compromised set of keys can be used without your knowledge to access your private repositories hosted with AWS CodeCommit.

Audit

To determine if your AWS IAM users keep any outdated (older than 90 days) SSH public keys, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Click on the IAM user name that you want to examine.

05 On the IAM user configuration page, select Security Credentials tab.

06 Under SSH keys for AWS CodeCommit section, in the Uploaded column:

Under SSH keys for AWS CodeCommit section, in the Uploaded column

check for any SSH keys older than 90 days with the status set to Active:

check for any SSH keys older than 90 days with the status set to Active

If an active public key is older than 90 days, the key is outdated and needs to be changed in order to secure the access to your private Git repositories.

07 Repeat steps no. 4 – 6 for each IAM user that you want to examine, available in your AWS account.

Using AWS CLI

01 Run list-users command (OSX/Linux/UNIX) to list all IAM users available within your account:

aws iam list-users
	--query 'Users[*].UserName'

02 The command output should return an array that contains all IAM user names:

[
    "Jack",
    "Robert",
    ...
    "Philip"
]

03 Run list-ssh-public-keys command (OSX/Linux/UNIX) using the IAM user name that you want to examine as command parameter to return the metadata of each SSH public key assigned to the selected IAM user:

aws iam list-ssh-public-keys
	--region us-east-1
	--user-name Jack

04 The command output should return the metadata of each SSH key currently available:

{
    "SSHPublicKeys": [
        {
            "UserName": "Jack",
            "Status": "Active",
            "SSHPublicKeyId": "APKAJYZYI7KYMA6S25CQ",
            "UploadDate": "2015-07-20T12:35:50Z"
        }
    ]
}

Verify the UploadDate property value for each active SSH key returned to determine its upload date. If the IAM user SSH public key lifetime is longer than 90 days, the key is outdated and it must be changed (rotated) in order to secure the access to AWS CodeCommit repositories.

05 Repeat steps no. 3 and 4 for each IAM user that you want to examine, available in your AWS account.

Remediation / Resolution

To rotate (change) your outdated IAM SSH public keys, you need to perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Click on the IAM user name that you want to examine.

05 On the IAM user configuration page, select Security Credentials tab.

06 In SSH keys for AWS CodeCommit section, click Upload SSH public key button to initiate the upload process for the new SSH public key, e.g.

click Upload SSH public key button to initiate the upload process for the new SSH public key

07 Click Upload SSH public key button to upload the brand new public key to AWS IAM.

08 Click the Close button to close the dialog box and return to the configuration page. The IAM user should have now two active SSH public keys.

09 Update your AWS CodeCommit SSH connection configuration by replacing the existing SSH Key ID (e.g., APKAJYZYI7KYMA6S25CQ) with the new key ID, then test the new public key by connecting to the necessary repositories. This test is performed to ensure that the newly added SSH key is working properly.

10 Once the new public key is validated, return to the IAM user configuration page, identify the outdated key and click the Delete link:

 identify the outdated key and click the Delete link

to remove it from AWS IAM.

11 In the Delete SSH Key confirmation box, click Delete to remove the selected key.

12 Repeat steps no. 4 – 11 to replace any outdated SSH public keys assigned to other IAM users available in your AWS account.

Using AWS CLI

01 Run upload-ssh-public-key command (OSX/Linux/UNIX) using the IAM user name and the SSH public key (encoded in PEM or SSH-RSA format) as command parameters to upload the new key to AWS IAM. The following example uploads an SSH-RSA public key and assign it to an IAM user named "Jack":

aws iam upload-ssh-public-key
	--region us-east-1
	--user-name Jack
	--ssh-public-key-body 'ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAipfY1cM3Scrg5Av57ndpWKc/6Nrb6fi0mkGp6yP96VBAVmIaayxntSQokYCbcIsJvWkN5pPzCINBfM8YHQIvDePyrNC+TmA2t5JWVsUh40FZ8jK6gdlCOQTxLqZbdUxgYj1YUsa+hwxfyzGGADTzs726uvSpru0P4CVUm9s6r/SOP9jGmn8r+tiarWf5Kr9+QCMlrajj8/RGr0bdlSWQG9SSh1xlw6/dmy1s1G/sUvD72YiT7hMpYB/perKbcaADLN9Dle4daBT2y8rcfZDqn2+Ml25iZLz+VFzLsos9jmdiImX5+2t0Ry7qak1wVFaAZH3Zkvv9ssGBT58s7wd/kQ== ec2-user@ip-172-30-11-90'

02 The command output should return the uploaded SSH key metadata:

{
    "SSHPublicKey": {
        "UserName": "Jack",
        "Status": "Active",
        "SSHPublicKeyBody": "ssh-rsa AAAAB ... ec2-user@ip-172-30-11-90",
        "UploadDate": "2016-08-23T18:36:13.242Z",
        "Fingerprint": "f0:d2:8f:4c:d5:4a:db:67:f4:64:4d:c6:b5:6c:a8:4a",
        "SSHPublicKeyId": "APKAJR372EROJTUMHSHQ"
    }
}

03 Update your AWS CodeCommit SSH connection configuration by replacing the existing SSH Key ID (e.g., APKAJYZYI7KYMA6S25CQ) with the key ID returned at the previous step as the value of the SSHPublicKeyId property (highlighted), then test the new public key by connecting to your private repositories. This test is performed to ensure that the new SSH key is working accordingly.

04 Once the new SSH public key is validated, run delete-ssh-public-key command (OSX/Linux/UNIX) to remove the outdated key by using its ID as identifier. The following example deletes an old SSH public key with the ID APKAJR372EROJTUMHSHQ, assigned to an IAM user named "Jack" (if successful, the command does not return an output):

aws iam delete-ssh-public-key
	--region us-east-1
	--user-name Jack
	--ssh-public-key-id APKAJR372EROJTUMHSHQ

05 Repeat steps no. 1 – 4 to replace any outdated SSH public keys assigned to other IAM users available in your AWS account.

References

Publication date Feb 5, 2018