Ensure inactive IAM access keys are deleted
Deleting inactive IAM access keys reduces the security risk of mismanaged access keys.
Risk Level: Low
Cloud Entity: IAM User
CloudGuard Rule ID: D9.AWS.IAM.64
Covered by Spectral: No
Category: Security, Identity, & Compliance
GSL LOGIC
IamUser should not have (firstAccessKey.isActive=false and firstAccessKey.lastRotated > 0) or (secondAccessKey.isActive=false and secondAccessKey.lastRotated > 0)
REMEDIATION
From Portal
- Go to 'IAM'
- In the menu, under 'Access management', choose 'Users' and choose the relevant user
- Choose the 'Security credentials' tab
- Under 'Access keys' find the access key with 'Inactive' status
- Delete the IAM access key
From TF
To delete an IAM user access key, delete the following resource:
resource "aws_iam_access_key" "example_access_key" {
..
user = "USER-NAME"
..
}
From Command Line
To list IAM access keys for a given user, run:
aws iam list-access-keys --user-name USER-NAME
To delete an inactive IAM access key, run:
aws iam delete-access-key --user-name USER-NAME --access-key-id ACCESS-KEY-ID
References
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-access-key.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-access-keys.html
IAM User
An IAM user is an entity that you create in AWS to represent the person or service that uses it to interact with AWS. A user in AWS consists of a name and credentials.
Compliance Frameworks
- AWS CIS Controls V 8
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST v11.0.0
- AWS ISO27001:2022
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- AWS PCI-DSS 4.0
- AWS Security Risk Management
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago