AWS-IAM-Access-Keys-in-IAM-User-Setup

Severity : Medium

Description: This control checks if IAM users have active access key and console password. Access keys are long-term credentials for an IAM user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API. If access key is compromised, an unauthorized users will have access to AWS accountUser account. As a best practice its recommended to use temporary security credentials using IAM roles instead of access keys.

Remediation Steps:

Perform following to update IAM user :

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to IAM console.

3. In the navigation pane, click Users.

4. Click on the IAM user name that need to disable the access key for.

5. On the IAM user configuration page, select the Security Credentials tab.

6. In the Access Keys section, identify access key to disable. To deactivate key, Click Make Inactive.

7. If receive the Change Key Status confirmation box, click Deactivate to switch off the selected key.

8. To delete access key, choose Delete.

Important:

• Instead of immediate deletion, deactivating the key protect the accidental deletion of working application.

Reference:

• CIS Amazon Web Services Foundations Benchmark v1.3.0 - 08-07-2020: Recommendation #1.4

• https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html

• https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html