Ensure there is only one active access key available for any single IAM user

Each IAM user can have up to two access keys. Having two access keys (instead of one), increases the risk of unauthorized access and compromise of credentials. It is also recommended to delete unused access keys.

Risk Level: High
Cloud Entity: IAM User
CloudGuard Rule ID: D9.AWS.IAM.51
Covered by Spectral: Yes
Category: Security, Identity, & Compliance


IamUser should not have firstAccessKey.isActive=true and secondAccessKey.isActive=true


From Portal
Perform the following to delete or disable active root access keys being Via the AWS Console :

  1. Sign in to the AWS Management Console as Root and open the IAM console at https://console.aws.amazon.com/iam/.
  2. Click Users in the navigation pane
  3. For the identified IAM user which has two active Access Keys, based on policies of your company, take appropriate action
  4. Delete one of the unused Access Keys

From TF

resource "aws_iam_access_key" "positive1" {
	+ user    = "root"
	- id = "some_id_that_exists"
	+ status = "Inactive"

From Command Line
To disable one of the active access keys, run:

aws iam update-access-key --access-key-id ACCESS_KEY_ID --status Inactive --user-name USERNAME


  1. https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html
  2. https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
  3. https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys
  4. https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html

IAM User

An IAM user is an entity that you create in AWS to represent the person or service that uses it to interact with AWS. A user in AWS consists of a name and credentials.

Compliance Frameworks

  • AWS CIS Foundations v. 1.3.0
  • AWS CIS Foundations v. 1.4.0
  • AWS CIS Foundations v. 1.5.0
  • AWS CIS Foundations v. 2.0.0
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset