Ensure IAM users have either access key or console password enabled
Ensuring IAM users are using either access key or console password reduces the security risk of mismanaged access controls.
Risk Level: Low
Cloud Entity: IAM User
CloudGuard Rule ID: D9.AWS.IAM.65
Covered by Spectral: No
Category: Security, Identity, & Compliance
GSL LOGIC
IamUser should have passwordEnabled=false or (firstAccessKey.isActive=false and secondAccessKey.isActive=false)
REMEDIATION
From Portal
- Go to 'IAM'
- In the menu, under 'Access management', choose 'Users' and choose the relevant user
- Choose the 'Security credentials' tab
- If access keys are used, make sure 'Console password' is disabled under 'Sign-in credentials'
- If 'Console password' is used, make sure to disable any access keys under 'Access keys'
From TF
To disable an IAM user access key, set 'status' to 'Inactive':
resource "aws_iam_access_key" "example_access_key" {
..
user = "USER-NAME"
status = "Inactive"
..
}
To delete an IAM user login profile (password), delete the following resource:
resource "aws_iam_user_login_profile" "example_user_login_profile" {
..
}
From Command Line
To list IAM access keys for a given user, run:
aws iam list-access-keys --user-name USER-NAME
To disable IAM user access key, run:
aws iam update-access-key --user-name USER-NAME --access-key-id ACCESS_KEY_ID --status Inactive
To determine whether an IAM user has a password, run:
aws iam get-login-profile --user-name USER-NAME
To delete an IAM user login profile (password), run:
aws iam delete-login-profile --user-name USER-NAME
References
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-access-keys.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-access-key.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-login-profile.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-login-profile.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key#status
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile
IAM User
An IAM user is an entity that you create in AWS to represent the person or service that uses it to interact with AWS. A user in AWS consists of a name and credentials.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST v11.0.0
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
Updated about 1 year ago