Open menu
-->

Unnecessary AWS IAM Access Keys

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Identify and deactivate any unnecessary IAM access keys as a security best practice. AWS allows you to assign maximum two active access keys but this is recommended only during the key rotation process. Cloud Conformity strongly recommends deactivating the old key once the new one is created so only one access key will remain active for the IAM user.

This rule resolution is part of the Cloud Conformity Security Package

Removing unnecessary AWS IAM access keys will lower the risk of unauthorized access to your AWS resources and components, and adhere to AWS IAM security best practices.

Audit

To determine if your AWS IAM users have unnecessary active access keys, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Click on the IAM user name that you want to examine.

05 On the IAM user configuration page, select Security Credentials tab.

06 Under Access Keys section, in the Status column, check the current status for each access key associated with the IAM user. If the selected IAM user has more than one access keys activated e.g.

If the selected IAM user has more than one access keys activated

the user access configuration do not adhere to AWS IAM security best practices and the risk of accidental exposures increases.

07 Repeat steps no. 4 – 6 for each IAM user that you want to examine, available in your AWS account.

Using AWS CLI

01 Run list-users command (OSX/Linux/UNIX) to list all IAM users within your account:

aws iam list-users
	--query 'Users[*].UserName'

01 The command output should return an array that contains all your IAM user names:

[
    "aws-s3-manager",
    ...
    "aws-emr-manager"
]

02 Run list-access-keys command (OSX/Linux/UNIX) using the IAM user name that you want to examine as command parameter to return the current status of each access key associated with the selected IAM user:

aws iam list-access-keys	--user-name aws-s3-manager

03 The command output should expose the metadata (ID, status, creation date, etc) for each access key:

{
    "AccessKeyMetadata": [
        {
            "UserName": "aws-s3-manager",
            "Status": "Active",
            "CreateDate": "2016-05-17T16:13:42Z",
            "AccessKeyId": "AAAABBBBCCCCDDDDEEEE"
        },
        {
            "UserName": "aws-s3-manager",
            "Status": "Active",
            "CreateDate": "2016-05-17T16:13:51Z",
            "AccessKeyId": "EEEEDDDDCCCCBBBBAAAA"
        }
    ]
}

Check the Status property value (highlighted) for each key returned to determine each key current state. If the Status property value for both IAM access keys is set to Active, the user access configuration do not adhere to AWS IAM security best practices and the risk of accidental exposures increases.

04 Repeat steps no. 3 and 4 for each IAM user that you want to examine, available in your AWS account.

Remediation / Resolution

To deactivate any unnecessary IAM access keys, you need to perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Click on the IAM user name that you want to examine.

05 On the IAM user configuration page, select Security Credentials tab.

06 In Access Keys section, choose one access key that will be used to provide access to AWS resources and update your application(s) code in order to utilize only the chosen key pair. Test your application(s) to make sure that the chosen access key is working.

07 In the same Access Keys section, identify your non-operational access key (other than the chosen one) and deactivate it by clicking the Make Inactive link:

identify your non-operational access key (other than the chosen one) and deactivate it by clicking the Make Inactive

08 In the Change Key Status confirmation box, click Deactivate to switch off the selected key.

09 Repeat steps no. 4 – 8 for each IAM user available in your AWS account.

Using AWS CLI

01 Update and test your application(s) code with the chosen access key ID and secret access key.

02 Run update-access-key command (OSX/Linux/UNIX) using the IAM user name and its non-operational access key ID as command parameters to deactivate the unnecessary key. See the Audit section part II (AWS CLI) to identify the unnecessary access key ID for the selected IAM user. The following example deactivates an access key with the ID AAAABBBBCCCCDDDDEEEE for an IAM user with the name aws-s3-manager (the command does not return any output):

aws iam update-access-key
	--access-key-id AAAABBBBCCCCDDDDEEEE
	--status Inactive
	--user-name aws-s3-manager

03 Run again list-access-keys command (OSX/Linux/UNIX) to make sure that the selected access key pair has been successfully deactivated:

aws iam list-access-keys
	--user-name aws-s3-manager

04 The command output should expose the metadata for each access key associated with the IAM user. If the non-operational key pair Status is set to Inactive, the key has been successfully switched off and the IAM user access configuration adheres now to security best practices:

{
    "AccessKeyMetadata": [
        {
            "UserName": "aws-s3-manager",
            "Status": "Inactive",
            "CreateDate": "2016-05-17T16:13:42Z",
            "AccessKeyId": "AAAABBBBCCCCDDDDEEEE"
        },
        {
            "UserName": "aws-s3-manager",
            "Status": "Active",
            "CreateDate": "2016-05-17T16:13:51Z",
            "AccessKeyId": "EEEEDDDDCCCCBBBBAAAA"
        }
    ]
}

05 Repeat steps no. 1 – 4 for each IAM user available in your AWS account.

References

Publication date May 18, 2016