Skip to main content

πŸ“ AWS IAM User Access Keys are not rotated every 90 days or less 🟒

  • Contextual name: πŸ“ User Access Keys are not rotated every 90 days or less 🟒
  • ID: /ce/ca/aws/iam/user-access-keys-are-not-rotated-every-90-days
  • Located in: πŸ“ AWS IAM

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-bcb0c78f1

Logic​

Description​

Open File

Description​

Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.

Rationale​

Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.

Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.

Audit​

Perform the following to determine if access keys are rotated as prescribed:

From Console​
  1. Go to Management Console.
  2. Click on Users.
  3. For each user, go to Security Credentials.
  4. Review each key under Access Keys.
  5. For each key that shows Active for status, ensure that Created is less than or equal to 90 days ago.

... see more

Remediation​

Open File

Remediation​

Perform the following to rotate access keys:

From Console​

  1. Go to Management Console.
  2. Click on Users.
  3. Click on Security Credentials.
  4. As an Administrator:
    • Click on Make Inactive for keys that have not been rotated in 90 Days.
  5. As an IAM User:
    • Click on Make Inactive or Delete for keys which have not been rotated or used in 90 Days.
  6. Click on Create Access Key.
  7. Update programmatic call with new Access Key credentials.

From Command Line​

  1. While the first access key is still active, create a second access key, which is active by default. Run the following command:
aws iam create-access-key

At this point, the user has two active access keys.

  1. Update all applications and tools to use the new access key.
  2. Determine whether the first access key is still in use by using this command:
aws iam get-access-key-last-used
  1. One approach is to wait several days and then check the old access key for any use before proceeding.

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 4 Cryptographic key management refers to the generation, distribution, storage, renewal, revocation, recovery, archiving and destruction of encryption keys. Effective cryptographic key management ensures that controls are in place to reduce the risk of compromise of the security of cryptographic keys. Any compromise of the security of cryptographic keys could, in turn, lead to a compromise of the security of the information assets protected by the cryptographic technique deployed.67
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 4 Regulated entities would typically put in place processes to ensure that identities and credentials are issued, managed, verified, revoked and audited for authorised devices, users and software/processes.88
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36e hardware and software asset controls β€”appropriate authorisation to prevent security compromises from unauthorised hardware and software assets;1515
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 44c loss of, or unauthorised access to, encryption keys safeguarding extremely critical or sensitive information assets.810
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό d. predefined activation and deactivation dates for cryptographic keys, limiting the period of time they remain valid for use. The period of time a cryptographic key remains valid would be commensurate with the risk;34
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [IAM.3] IAM users' access keys should be rotated every 90 days or less11
πŸ’Ό CIS AWS v1.2.0 β†’ πŸ’Ό 1.4 Ensure access keys are rotated every 90 days or less11
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 1.14 Ensure access keys are rotated every 90 days or less11
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 1.14 Ensure access keys are rotated every 90 days or less11
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 1.14 Ensure access keys are rotated every 90 days or less - Level 1 (Automated)11
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 1.14 Ensure access keys are rotated every 90 days or less - Level 1 (Automated)11
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 1.14 Ensure access keys are rotated every 90 days or less - Level 1 (Automated)11
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 1.14 Ensure access keys are rotated every 90 days or less (Automated)1
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 1.14 Ensure access keys are rotated every 90 days or less (Automated)1
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 1.13 Ensure access keys are rotated every 90 days or less (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Credential Lifecycle Management17
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)16
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(3) Disable Accounts (M)(H)4
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)61420
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)1911
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)120
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)11
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)16
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(3) Disable Accounts (M)(H)4
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)420
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)11
πŸ’Ό GDPR β†’ πŸ’Ό Art. 25 Data protection by design and by default1010
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.2.4 Management of secret authentication information of users810
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.10.1.2 Key management911
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1922
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)1922
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-1: Data-at-rest is protected1519
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-2: Data-in-transit is protected1421
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization23
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-03: Users, services, and hardware are authenticated22
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties58
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected82
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected69
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT544
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(1) Account Management _ Automated System Account Management416
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(3) Account Management _ Disable Accounts14
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control10
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 8.2.4 Change user passwords/passphrases at least once every 90 days.1
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.3.9 If passwords/passphrases are used as the only authentication factor for user access then either passwords/passphrases are changed at least once every 90 days, or the security posture of accounts is dynamically analyzed.1
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.3.10 If passwords/passphrases are used as the only authentication factor for customer user access to cardholder data, then guidance is provided to customer users.11
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.6.3 Passwords/passphrases for any application and system accounts are protected against misuse.1
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.3.9 If passwords/passphrases are used as the only authentication factor for user access then either passwords/passphrases are changed at least once every 90 days, or the security posture of accounts is dynamically analyzed.1
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.3.10 If passwords/passphrases are used as the only authentication factor for customer user access to cardholder data, then guidance is provided to customer users.11
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.6.3 Passwords/passphrases for any application and system accounts are protected against misuse.1