Skip to main content

πŸ›‘οΈ AWS IAM User Access Keys are not rotated every 90 days or less🟒

  • Contextual name: πŸ›‘οΈ User Access Keys are not rotated every 90 days or less🟒
  • ID: /ce/ca/aws/iam/user-access-keys-are-not-rotated-every-90-days
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-bcb0c78f1

Description​

Open File

Description​

Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.

Rationale​

Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.

Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.

Audit​

Perform the following to determine if access keys are rotated as prescribed:

From Console​
  1. Go to Management Console.
  2. Click on Users.
  3. For each user, go to Security Credentials.
  4. Review each key under Access Keys.
  5. For each key that shows Active for status, ensure that Created is less than or equal to 90 days ago.

... see more

Remediation​

Open File

Remediation​

Perform the following to rotate access keys:

From Console​

  1. Go to Management Console.
  2. Click on Users.
  3. Click on Security Credentials.
  4. As an Administrator:
    • Click on Make Inactive for keys that have not been rotated in 90 Days.
  5. As an IAM User:
    • Click on Make Inactive or Delete for keys which have not been rotated or used in 90 Days.
  6. Click on Create Access Key.
  7. Update programmatic call with new Access Key credentials.

From Command Line​

  1. While the first access key is still active, create a second access key, which is active by default. Run the following command:
aws iam create-access-key

At this point, the user has two active access keys.

  1. Update all applications and tools to use the new access key.
  2. Determine whether the first access key is still in use by using this command:
aws iam get-access-key-last-used
  1. One approach is to wait several days and then check the old access key for any use before proceeding.

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 4 Cryptographic key management refers to the generation, distribution, storage, renewal, revocation, recovery, archiving and destruction of encryption keys. Effective cryptographic key management ensures that controls are in place to reduce the risk of compromise of the security of cryptographic keys. Any compromise of the security of cryptographic keys could, in turn, lead to a compromise of the security of the information assets protected by the cryptographic technique deployed.67no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 4 Regulated entities would typically put in place processes to ensure that identities and credentials are issued, managed, verified, revoked and audited for authorised devices, users and software/processes.88no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36e hardware and software asset controls β€”appropriate authorisation to prevent security compromises from unauthorised hardware and software assets;1616no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 44c loss of, or unauthorised access to, encryption keys safeguarding extremely critical or sensitive information assets.810no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό d. predefined activation and deactivation dates for cryptographic keys, limiting the period of time they remain valid for use. The period of time a cryptographic key remains valid would be commensurate with the risk;34no data
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [IAM.3] IAM users' access keys should be rotated every 90 days or less11no data
πŸ’Ό CIS AWS v1.2.0 β†’ πŸ’Ό 1.4 Ensure access keys are rotated every 90 days or less11no data
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 1.14 Ensure access keys are rotated every 90 days or less11no data
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 1.14 Ensure access keys are rotated every 90 days or less11no data
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 1.14 Ensure access keys are rotated every 90 days or less - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 1.14 Ensure access keys are rotated every 90 days or less - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 1.14 Ensure access keys are rotated every 90 days or less - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 1.14 Ensure access keys are rotated every 90 days or less (Automated)1no data
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 1.14 Ensure access keys are rotated every 90 days or less (Automated)1no data
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 1.13 Ensure access keys are rotated every 90 days or less (Automated)1no data
πŸ’Ό CIS AWS v6.0.0 β†’ πŸ’Ό 2.13 Ensure access keys are rotated every 90 days or less (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Credential Lifecycle Management18no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)16no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(3) Disable Accounts (M)(H)4no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)61432no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)1911no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)132no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)11no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)16no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(3) Disable Accounts (M)(H)4no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)432no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)11no data
πŸ’Ό GDPR β†’ πŸ’Ό Art. 25 Data protection by design and by default1010no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.2.4 Management of secret authentication information of users810no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.10.1.2 Key management911no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1930no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)1923no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-1: Data-at-rest is protected1528no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-2: Data-in-transit is protected1631no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization38no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-03: Users, services, and hardware are authenticated32no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties91no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected118no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected98no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT544no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(1) Account Management _ Automated System Account Management416no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(3) Account Management _ Disable Accounts14no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control11no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 8.2.4 Change user passwords/passphrases at least once every 90 days.2no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.3.9 If passwords/passphrases are used as the only authentication factor for user access then either passwords/passphrases are changed at least once every 90 days, or the security posture of accounts is dynamically analyzed.2no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.3.10 If passwords/passphrases are used as the only authentication factor for customer user access to cardholder data, then guidance is provided to customer users.13no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.6.3 Passwords/passphrases for any application and system accounts are protected against misuse.1no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.3.9 If passwords/passphrases are used as the only authentication factor for user access then either passwords/passphrases are changed at least once every 90 days, or the security posture of accounts is dynamically analyzed.2no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.3.10 If passwords/passphrases are used as the only authentication factor for customer user access to cardholder data, then guidance is provided to customer users.113no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.6.3 Passwords/passphrases for any application and system accounts are protected against misuse.1no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-8 Manages Identification and Authentication1824no data