๐ก๏ธ AWS IAM SSH Public Key are not rotated every 90 days or less๐ข
- Contextual name: ๐ก๏ธ SSH Public Key are not rotated every 90 days or less๐ข
- ID:
/ce/ca/aws/iam/ssh-public-keys-are-not-rotated-every-90-days - Tags:
- ๐ข Policy with categories
- ๐ข Policy with type
- ๐ข Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicโ
- ๐ง prod.logic.yaml๐ข
Similar Policiesโ
- Cloud Conformity: SSH Public Keys Rotated 90 Days
Descriptionโ
Descriptionโ
Identify AWS IAM SSH public keys that have been active for more than 90 days without rotation.
Ensure that all IAM SSH public keys are rotated at least every 90 days to reduce the risk of accidental exposure and to protect AWS CodeCommit repositories from unauthorized access.
Rationaleโ
IAM SSH public keys are used to authenticate users for programmatic access to services such as AWS CodeCommit. Similar to passwords and access keys, these credentials should be rotated regularly. Regular key rotation limits the amount of time a compromised key can be used to access source code repositories.
Auditโ
This policy flags an AWS IAM SSH Public Key as
INCOMPLIANTif the Upload Date is older than 90 days.An AWS IAM SSH Public Key is marked as
INAPPLICABLEif its Status is not set toActive.
Remediationโ
Remediationโ
Rotate IAM SSH Public Keyโ
Rotate IAM SSH public keys that have exceeded the recommended rotation period by creating a new key, updating dependent configurations, and removing the outdated key.
From Command Lineโ
Generate and upload a new SSH public key
Run the
upload-ssh-public-keycommand to upload the new SSH public key (PEM or SSH-RSA format) for the specified IAM user:aws iam upload-ssh-public-key \
--region {{region}} \
--user-name {{user-name}} \
--ssh-public-key-body file://{{sshkey.pub}}
--query SSHPublicKey.SSHPublicKeyIdNote the SSH Public Key ID returned by this command. It will be required in subsequent steps.
Update AWS CodeCommit SSH configuration
Replace the existing SSH Key ID in your CodeCommit SSH configuration with the newly generated key ID, then validate access to your repositories.
Example configuration:
Host git-codecommit.*.amazonaws.com
User {{ssh-key-id}}
IdentityFile {{private-key-file}}... see more
policy.yamlโ
Linked Framework Sectionsโ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| ๐ผ AWS Well-Architected โ ๐ผ SEC02-BP02 Use temporary credentials | 1 | no data | |||
| ๐ผ Cloudaware Framework โ ๐ผ Credential Lifecycle Management | 23 | no data |