AWS-Glue-User-With-Two-Access-Keys

Severity : Medium

Description: This control ensures that IAM users with access to AWS Glue doesn’t have more than one active access key. Access keys are long-term credentials for an IAM user. The Glue users access key can use to sign programmatic requests to the AWS. User account should not allowed to have multiple access keys.

Remediation Steps:

Perform following to update IAM policy for IAM user :

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to IAM console.

3. In the navigation pane, click Users.

4. Click on the IAM user name that need to disable the access key for.

5. On the IAM user configuration page, select the Security Credentials tab.

6. In the Access Keys section, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS Glue resources.

7. In the same Access Keys section, identify non-operational access keys (other than the chosen one) and deactivate it by clicking the Make Inactive link.

8. If receive the Change Key Status confirmation box, click Deactivate to switch off the selected key.

Important:

• Test application(s) to make sure that the chosen access key is working.

• Instead of immediate deletion, deactivating the key protect the accidental deletion of working key.

Reference:

• https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html

• https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html