Ensure inactive IAM access keys are deleted

Deleting inactive IAM access keys reduces the security risk of mismanaged access keys.

Risk Level: Low
Cloud Entity: IAM User
CloudGuard Rule ID: D9.AWS.IAM.64
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

IamUser should not have (firstAccessKey.isActive=false and firstAccessKey.lastRotated > 0) or (secondAccessKey.isActive=false and secondAccessKey.lastRotated > 0)

REMEDIATION

From Portal

  1. Go to 'IAM'
  2. In the menu, under 'Access management', choose 'Users' and choose the relevant user
  3. Choose the 'Security credentials' tab
  4. Under 'Access keys' find the access key with 'Inactive' status
  5. Delete the IAM access key

From TF
To delete an IAM user access key, delete the following resource:

resource "aws_iam_access_key" "example_access_key" {
	..
	user   = "USER-NAME"
	..
}

From Command Line
To list IAM access keys for a given user, run:

aws iam list-access-keys --user-name USER-NAME

To delete an inactive IAM access key, run:

aws iam delete-access-key --user-name USER-NAME --access-key-id ACCESS-KEY-ID

References

  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-access-key.html
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-access-keys.html

IAM User

An IAM user is an entity that you create in AWS to represent the person or service that uses it to interact with AWS. A user in AWS consists of a name and credentials.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset