Ensure IAM users have either access key or console password enabled

Ensuring IAM users are using either access key or console password reduces the security risk of mismanaged access controls.

Suggest Edits

Risk Level: Low
Cloud Entity: IAM User
CloudGuard Rule ID: D9.AWS.IAM.65
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

IamUser should have passwordEnabled=false or (firstAccessKey.isActive=false and secondAccessKey.isActive=false)

REMEDIATION

From Portal

Go to 'IAM'
In the menu, under 'Access management', choose 'Users' and choose the relevant user
Choose the 'Security credentials' tab
If access keys are used, make sure 'Console password' is disabled under 'Sign-in credentials'
If 'Console password' is used, make sure to disable any access keys under 'Access keys'

From TF
To disable an IAM user access key, set 'status' to 'Inactive':

resource "aws_iam_access_key" "example_access_key" {
	..
	user   = "USER-NAME"
	status = "Inactive"
	..
}

To delete an IAM user login profile (password), delete the following resource:

resource "aws_iam_user_login_profile" "example_user_login_profile" {
	..
}

From Command Line
To list IAM access keys for a given user, run:

aws iam list-access-keys --user-name USER-NAME

To disable IAM user access key, run:

aws iam update-access-key --user-name USER-NAME --access-key-id ACCESS_KEY_ID --status Inactive

To determine whether an IAM user has a password, run:

aws iam get-login-profile --user-name USER-NAME

To delete an IAM user login profile (password), run:

aws iam delete-login-profile --user-name USER-NAME

References

IAM User

An IAM user is an entity that you create in AWS to represent the person or service that uses it to interact with AWS. A user in AWS consists of a name and credentials.

Compliance Frameworks

AWS CloudGuard Best Practices
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS HITRUST v11.0.0
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-53 Rev 5

Updated over 1 year ago