Identify and deactivate any unnecessary IAM access keys as a security best practice. AWS allows you to assign maximum two active access keys but this is recommended only during the key rotation process. Cloud Conformity strongly recommends deactivating the old key once the new one is created so only one access key will remain active for the IAM user.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Removing unnecessary AWS IAM access keys will lower the risk of unauthorized access to your AWS resources and components, and adhere to AWS IAM security best practices.
Audit
To determine if your AWS IAM users have unnecessary active access keys, perform the following:
Remediation / Resolution
To deactivate any unnecessary IAM access keys, you need to perform the following:
References
- AWS Documentation
- AWS Identity and Access Management FAQs
- Best Practices for Managing AWS Access Keys
- Managing Access Keys for IAM Users
- AWS Command Line Interface (CLI) Documentation
- iam
- list-users
- list-access-keys
- update-access-key
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Unnecessary Access Keys
Risk level: Medium