Ensure that your existing IAM users are either being used for API access or for console access in order to reduce the risk of unauthorized access in case their credentials (access keys or passwords) are compromised.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Segregating the IAM users in your account by controlling their privileges will help you maintain a secure AWS environment. Cloud Conformity strongly recommends granting your IAM users the minimum amount of privileges necessary to perform the assigned task. Application users should use only access keys to programmatically access data in AWS and administrators who need console access should use only passwords to manage AWS resources.
Audit
To determine if your IAM users have both access keys and passwords assigned for authentication, perform the following:
Remediation / Resolution
Case A: To modify the access configuration by disabling the authentication via access keys for the required IAM users, perform the following:
Case B: To modify the access configuration by disabling the authentication via passwords for the required IAM users, perform the following:
References
- AWS Documentation
- AWS Identity and Access Management FAQs
- IAM Best Practices
- Manage Users
- AWS Command Line Interface (CLI) Documentation
- iam
- list-users
- list-access-keys
- get-login-profile
- delete-access-key
- delete-login-profile
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
IAM User With Password And Access Keys
Risk level: Medium