AWS-IAM-Access-Keys-Extra

Severity: Medium

Description: This control ensures that no IAM users have more than one active access key. Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API. User account should not allowed to have multiple access keys.

Remediation Steps:

Perform following to update IAM policy for IAM user :

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to IAM console.

3. In the navigation pane, click Users.

4. Click on the IAM user name that need to disable the access key for.

5. On the IAM user configuration page, select the Security Credentials tab.

6. In the Access Keys section, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically.

7. In the same Access Keys section, identify non-operational access keys (other than the chosen one) and deactivate it by clicking the Make Inactive link.

8. If receive the Change Key Status confirmation box, click Deactivate to switch off the selected key.

Important:

• Test application(s) to make sure that the chosen access key is working.

• Instead of immediate deletion, deactivating the key protect the accidental deletion of working key.

Reference:

• CIS Amazon Web Services Foundations Benchmark v1.3.0 - 08-07-2020: Recommendation #1.13

• https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html

• https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html