Ensure IAM users have either access key or console password enabled

Ensuring IAM users are using either access key or console password reduces the security risk of mismanaged access controls.

Risk Level: Low
Cloud Entity: IAM User
CloudGuard Rule ID: D9.AWS.IAM.65
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

IamUser should have passwordEnabled=false or (firstAccessKey.isActive=false and secondAccessKey.isActive=false)

REMEDIATION

From Portal

  1. Go to 'IAM'
  2. In the menu, under 'Access management', choose 'Users' and choose the relevant user
  3. Choose the 'Security credentials' tab
  4. If access keys are used, make sure 'Console password' is disabled under 'Sign-in credentials'
  5. If 'Console password' is used, make sure to disable any access keys under 'Access keys'

From TF
To disable an IAM user access key, set 'status' to 'Inactive':

resource "aws_iam_access_key" "example_access_key" {
	..
	user   = "USER-NAME"
	status = "Inactive"
	..
}

To delete an IAM user login profile (password), delete the following resource:

resource "aws_iam_user_login_profile" "example_user_login_profile" {
	..
}

From Command Line
To list IAM access keys for a given user, run:

aws iam list-access-keys --user-name USER-NAME

To disable IAM user access key, run:

aws iam update-access-key --user-name USER-NAME --access-key-id ACCESS_KEY_ID --status Inactive

To determine whether an IAM user has a password, run:

aws iam get-login-profile --user-name USER-NAME

To delete an IAM user login profile (password), run:

aws iam delete-login-profile --user-name USER-NAME

References

  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-access-keys.html
  4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-access-key.html
  5. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-login-profile.html
  6. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-login-profile.html
  7. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key#status
  8. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile

IAM User

An IAM user is an entity that you create in AWS to represent the person or service that uses it to interact with AWS. A user in AWS consists of a name and credentials.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset