Logo of Trend Micro

IAM User With Password And Access Keys

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: IAM-024

Ensure that your existing IAM users are either being used for API access or for console access in order to reduce the risk of unauthorized access in case their credentials (access keys or passwords) are compromised.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Segregating the IAM users in your account by controlling their privileges will help you maintain a secure AWS environment. Cloud Conformity strongly recommends granting your IAM users the minimum amount of privileges necessary to perform the assigned task. Application users should use only access keys to programmatically access data in AWS and administrators who need console access should use only passwords to manage AWS resources.

Audit

To determine if your IAM users have both access keys and passwords assigned for authentication, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Users.

04 Click on the IAM user that you want to examine.

05 On the IAM user configuration page, select Security Credentials tab.

06 Inside Access Keys section, check for any access keys associated with the selected IAM user.

07 Inside Sign-In Credentials section, check the password configuration status for the selected IAM user.

08 If the user has one or more access keys assigned:

If the user has one or more access keys assigned

and its Password status is set to Yes:

Password status is set to Yes

the selected user access configuration is not following the IAM security best practices and the risk of exposing access credentials increases.

09 Repeat steps no. 4 – 8 for each IAM user that you want to examine available in your AWS account.

Using AWS CLI

01 Run list-users command (OSX/Linux/UNIX) to list all IAM users within your account: 

aws iam list-users
	--query 'Users[*].UserName'

02 The command output should return an array that contains all your IAM user names: 

[
    "John",
    "David",
    ...
    "Mark"
]

03 Run list-access-keys command (OSX/Linux/UNIX) using the IAM user name that you want to examine as command parameter to return the current status of each access key associated with the selected IAM user: 

aws iam list-access-keys
	--user-name John

04 The command output should expose the metadata (ID, status, creation date, etc) for each access key assigned: 

{
    "AccessKeyMetadata": [
        {
            "UserName": "John",
            "Status": "Active",
            "CreateDate": "2016-05-20T11:14:46Z",
            "AccessKeyId": "AAAABBBBCCCCDDDDEEEE"
        }
    ]
}

05 Run get-login-profile command (OSX/Linux/UNIX) to retrieve the login profile for the selected IAM user: 

aws iam get-login-profile
	--user-name John

06 The command output should return the specified user login profile metadata in case it has a password assigned and a 404 (NoSuchEntity) error otherwise: 

{
    "LoginProfile": {
        "UserName": "John",
        "CreateDate": "2016-05-23T08:28:01Z",
        "PasswordResetRequired": false
    }
}

07 If the list-access-keys command returns at least one access key pair at step no. 4 and get-login-profile command returns the user login profile metadata at step no. 6 without any errors, the selected IAM user is using both access keys and passwords for authentication. This user access configuration is not following IAM security best practices and increases the risk of exposing your access credentials.

08 Repeat steps no. 3 – 7 for each IAM user that you want to examine within your AWS account.

Remediation / Resolution

Case A: To modify the access configuration by disabling the authentication via access keys for the required IAM users, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Users.

04 Click on the IAM user that you want to modify.

05 On the IAM user configuration page, select Security Credentials tab.

06 Inside the Access Keys section, identify any access keys (see Audit section) and remove them by clicking the Delete link:

Inside the Access Keys section, identify any access keys (see Audit section) and remove them by clicking the Delete link

accessible in the Actions column.

07 In the Delete Access Key confirmation box, click Delete to remove the selected key.

08 Repeat steps no. 4 – 7 for each IAM user utilized only for AWS console access that does not require access keys (e.g. human users with certain job functions or responsibilities such administrators and developers).

Using AWS CLI

01 Run delete-access-key command (OSX/Linux/UNIX) to remove the access key pair for the selected IAM user. See the Audit section part II (AWS CLI) to identify the users with access keys that are used only for AWS console access. The following command example removes an access key with the ID AAAABBBBCCCCDDDDEEEE for an IAM user with the name John (if successful, the command does not return an output): 

aws iam delete-access-key
	--access-key AAAABBBBCCCCDDDDEEEE
	--user-name John

02 Repeat step no. 1 for each IAM user utilized only for AWS console access that does not require access keys.

Case B: To modify the access configuration by disabling the authentication via passwords for the required IAM users, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, select Users.

04 Click on the IAM user that you want to modify.

05 On the IAM user configuration page, select Security Credentials tab.

06 Inside the Sign-In Credentials section, click the Manage Passwords button to access the password configuration page.

07 On the Manage Password configuration page, select Remove existing password and uncheck the Require user to create a new password at next sign-in option.

08 Click Apply to disable the authentication via password for the selected user. The Password configuration status should change to No.

09 Repeat steps no. 4 – 8 for each IAM user that does not require a password for authentication (e.g. programmatic users that interact with AWS services and resources through the API using the access keys assigned).

Using AWS CLI

01 Run delete-login-profile command (OSX/Linux/UNIX) to delete the password assigned to the selected IAM user, which removes the user’s ability to access the AWS environment through the management console. See the Audit section part II (AWS CLI) to identify the users with login profiles (passwords) that are used only to access AWS resources via API. The following command example removes the access to the AWS console for an IAM user with the name John (if successful, the command does not return an output): 

aws iam delete-login-profile
	--user-name John

02 Repeat step no. 1 for each IAM user utilized only for programmatic (API) access that does not require a password for authentication.

References

Publication date May 24, 2016

Related IAM rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

IAM User With Password And Access Keys

Risk level: Medium