Skip to main content

๐Ÿ›ก๏ธ AWS IAM User has more than one active access key๐ŸŸข

  • Contextual name: ๐Ÿ›ก๏ธ User has more than one active access key๐ŸŸข
  • ID: /ce/ca/aws/iam/user-has-more-than-one-active-access-key
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logicโ€‹

Similar Policiesโ€‹

Similar Internal Rulesโ€‹

RulePoliciesFlags
โœ‰๏ธ dec-x-307950161

Descriptionโ€‹

Open File

Descriptionโ€‹

Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).

Rationaleโ€‹

One of the best ways to protect your account is to not allow users to have multiple access keys.

Auditโ€‹

From Consoleโ€‹

  1. Sign in to the AWS Management Console and navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

  2. In the left navigation panel, choose Users.

  3. Click on the IAM user name that you want to examine.

  4. On the IAM user configuration page, select Security Credentials tab.

  5. Under the Access Keys section, in the Status column, check the current status for each access key associated with the IAM user. If the selected IAM user has more than one access key activated, the user's access configuration does not adhere to security best practices and the risk of accidental exposure increases.

  • Repeat steps no. 3-5 for each IAM user in your AWS account.
From Command Lineโ€‹

... see more

Remediationโ€‹

Open File

Remediationโ€‹

From Consoleโ€‹

  1. Sign in to the AWS Management Console and navigate to IAM dashboard at https://console.aws.amazon.com/iam/.
  2. In the left navigation panel, choose Users.
  3. Click on the IAM user name that you want to examine.
  4. On the IAM user configuration page, select the Security Credentials tab.
  5. In the Access Keys section, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.
  6. In the same Access Keys section, identify your non-operational access keys (other than the chosen one) and deactivate them by clicking Make Inactive.
  7. If you receive the Change Key Status confirmation box, click Deactivate to switch off the selected key.
  8. Repeat steps no. 3-7 for each IAM user in your AWS account.

From Command Lineโ€‹

  1. Using the IAM user and access key information provided in the Audit CLI, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.

... see more

policy.yamlโ€‹

Open File

Linked Framework Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 4 Cryptographic key management refers to the generation, distribution, storage, renewal, revocation, recovery, archiving and destruction of encryption keys. Effective cryptographic key management ensures that controls are in place to reduce the risk of compromise of the security of cryptographic keys. Any compromise of the security of cryptographic keys could, in turn, lead to a compromise of the security of the information assets protected by the cryptographic technique deployed.67no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 44c loss of, or unauthorised access to, encryption keys safeguarding extremely critical or sensitive information assets.810no data
๐Ÿ’ผ CIS AWS v1.3.0 โ†’ ๐Ÿ’ผ 1.13 Ensure there is only one active access key available for any single IAM user11no data
๐Ÿ’ผ CIS AWS v1.4.0 โ†’ ๐Ÿ’ผ 1.13 Ensure there is only one active access key available for any single IAM user11no data
๐Ÿ’ผ CIS AWS v1.5.0 โ†’ ๐Ÿ’ผ 1.13 Ensure there is only one active access key available for any single IAM user - Level 1 (Automated)11no data
๐Ÿ’ผ CIS AWS v2.0.0 โ†’ ๐Ÿ’ผ 1.13 Ensure there is only one active access key available for any single IAM user - Level 1 (Automated)11no data
๐Ÿ’ผ CIS AWS v3.0.0 โ†’ ๐Ÿ’ผ 1.13 Ensure there is only one active access key available for any single IAM user - Level 1 (Automated)11no data
๐Ÿ’ผ CIS AWS v4.0.0 โ†’ ๐Ÿ’ผ 1.13 Ensure there is only one active access key for any single IAM user (Automated)1no data
๐Ÿ’ผ CIS AWS v4.0.1 โ†’ ๐Ÿ’ผ 1.13 Ensure there is only one active access key for any single IAM user (Automated)1no data
๐Ÿ’ผ CIS AWS v5.0.0 โ†’ ๐Ÿ’ผ 1.12 Ensure there is only one active access key for any single IAM user (Automated)1no data
๐Ÿ’ผ CIS AWS v6.0.0 โ†’ ๐Ÿ’ผ 2.12 Ensure there is only one active access key for any single IAM user (Automated)1no data
๐Ÿ’ผ Cloudaware Framework โ†’ ๐Ÿ’ผ Credential Lifecycle Management29no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ IA-5 Authenticator Management (L)(M)(H)61437no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-12 Cryptographic Key Establishment and Management (L)(M)(H)1912no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ IA-5 Authenticator Management (L)(M)(H)137no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ SC-12 Cryptographic Key Establishment and Management (L)(M)(H)12no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ IA-5 Authenticator Management (L)(M)(H)437no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SC-12 Cryptographic Key Establishment and Management (L)(M)(H)12no data
๐Ÿ’ผ GDPR โ†’ ๐Ÿ’ผ Art. 25 Data protection by design and by default1010no data
๐Ÿ’ผ ISO/IEC 27001:2013 โ†’ ๐Ÿ’ผ A.9.2.4 Management of secret authentication information of users810no data
๐Ÿ’ผ ISO/IEC 27001:2013 โ†’ ๐Ÿ’ผ A.10.1.2 Key management912no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1934no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)1923no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.DS-1: Data-at-rest is protected1530no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.DS-2: Data-in-transit is protected1653no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization47no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-03: Users, services, and hardware are authenticated53no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties138no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected188no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected160no data
๐Ÿ’ผ NIST SP 800-53 Revision 4 โ†’ ๐Ÿ’ผ SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT545no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC6.1-8 Manages Identification and Authentication1824no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC6.6-3 Requires Additional Authentication or Credentials46no data