Skip to main content

πŸ›‘οΈ AWS IAM User has more than one active access key🟒

  • Contextual name: πŸ›‘οΈ User has more than one active access key🟒
  • ID: /ce/ca/aws/iam/user-has-more-than-one-active-access-key
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-307950161

Description​

Open File

Description​

Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK)

Rationale​

One of the best ways to protect your account is to not allow users to have multiple access keys.

Audit​

From Console​

  1. Sign in to the AWS Management Console and navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

  2. In the left navigation panel, choose Users.

  3. Click on the IAM user name that you want to examine.

  4. On the IAM user configuration page, select Security Credentials tab.

  5. Under Access Keyssection, in the Status column, check the current status for each access key associated with the IAM user. If the selected IAM user has more than one access key activated then the users access configuration does not adhere to security best practices and the risk of accidental exposures increases.

  • Repeat steps no. 3 – 5 for each IAM user in your AWS account.
From Command Line​

... see more

Remediation​

Open File

Remediation​

From Console​

  1. Sign in to the AWS Management Console and navigate to IAM dashboard at https://console.aws.amazon.com/iam/.
  2. In the left navigation panel, choose Users.
  3. Click on the IAM user name that you want to examine.
  4. On the IAM user configuration page, select Security Credentials tab.
  5. In Access Keys section, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.
  6. In the same Access Keys section, identify your non-operational access keys (other than the chosen one) and deactivate it by clicking the Make Inactive link.
  7. If you receive the Change Key Status confirmation box, click Deactivate to switch off the selected key.
  8. Repeat steps no. 3 – 7 for each IAM user in your AWS account.

From Command Line​

  1. Using the IAM user and access key information provided in the Audit CLI, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 4 Cryptographic key management refers to the generation, distribution, storage, renewal, revocation, recovery, archiving and destruction of encryption keys. Effective cryptographic key management ensures that controls are in place to reduce the risk of compromise of the security of cryptographic keys. Any compromise of the security of cryptographic keys could, in turn, lead to a compromise of the security of the information assets protected by the cryptographic technique deployed.67no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 44c loss of, or unauthorised access to, encryption keys safeguarding extremely critical or sensitive information assets.810no data
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 1.13 Ensure there is only one active access key available for any single IAM user11no data
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 1.13 Ensure there is only one active access key available for any single IAM user11no data
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 1.13 Ensure there is only one active access key available for any single IAM user - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 1.13 Ensure there is only one active access key available for any single IAM user - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 1.13 Ensure there is only one active access key available for any single IAM user - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 1.13 Ensure there is only one active access key for any single IAM user (Automated)1no data
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 1.13 Ensure there is only one active access key for any single IAM user (Automated)1no data
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 1.12 Ensure there is only one active access key for any single IAM user (Automated)1no data
πŸ’Ό CIS AWS v6.0.0 β†’ πŸ’Ό 2.12 Ensure there is only one active access key for any single IAM user (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Credential Lifecycle Management18no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)61432no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)1911no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)132no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)11no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)432no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)11no data
πŸ’Ό GDPR β†’ πŸ’Ό Art. 25 Data protection by design and by default1010no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.2.4 Management of secret authentication information of users810no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.10.1.2 Key management912no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1934no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)1923no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-1: Data-at-rest is protected1530no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-2: Data-in-transit is protected1653no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization42no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-03: Users, services, and hardware are authenticated53no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties116no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected148no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected125no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT545no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-8 Manages Identification and Authentication1824no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.6-3 Requires Additional Authentication or Credentials46no data