Ensure that no Amazon IAM access keys are created during initial setup for all IAM users that have a console password. By default, during IAM user setup process, AWS Management Console sets the checkbox for creating access keys to enabled, generating unnecessary access credentials that need to be managed and protected against exposure.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Unnecessary AWS IAM access keys generate unnecessary management work in auditing and rotating IAM credentials. Even if it's known that the IAM user will need these keys, Cloud Conformity recommends promoting the access keys creation as a separate step from IAM user creation as security best practice.
Audit
To identify any access keys created during IAM user initial setup, perform the following actions:
Remediation / Resolution
To remove any unnecessary and unused AWS IAM access keys, perform the following actions:
References
- AWS Documentation
- AWS IAM FAQs
- Best Practices for Managing AWS Access Keys
- Managing Access Keys for IAM Users
- AWS Command Line Interface (CLI) Documentation
- iam
- get-credential-report
- delete-access-key
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Access Keys During Initial IAM User Setup
Risk level: Medium