AWS-IAM-user-access-keys-2-rotated-every-90-days

Severity: High

Description: This control ensures that  IAM Users active key2 is been rotated within 90 days. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.

Remediation Steps:

Perform following to update IAM policy for IAM user :

  1. Login to the AWS Management Console at https://console.aws.amazon.com.

  2. Navigate to IAM console.

  3. In the navigation pane, choose Users.

  4. Click on Security Credentials.

  5. As an Administrator, Click on Make Inactive for keys that have not been rotated in 90 Days.

  6. As an IAM User, Click on Make Inactive or Delete for keys which have not been rotated or used in 90 Days.

  7. Click on Create Access Key.

  8. Update programmatic call with new Access Key credentials.

Important:

  • Changes in account credentials may take up to 4 hours to get reflected in the AWS IAM evaluations

Reference:

  • CIS Amazon Web Services Foundations Benchmark v1.3.0 - 08-07-2020: Recommendation #1.14 (check 2)

Blue Hexagon Proprietary