🛡️ AWS IAM User has more than one active SSH public key🟢

• Contextual name: 🛡️ User has more than one active SSH public key🟢
• ID: /ce/ca/aws/iam/user-has-more-than-one-active-ssh-public-key
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS IAM User
  • 🔌 AWS IAM SSH Public Key - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Unnecessary SSH Public Keys

Description

Open File

Description

Identify and deactivate unnecessary IAM SSH public keys used to authenticate access to AWS CodeCommit repositories. AWS allows up to two active SSH public keys per IAM user; however, maintaining two keys should be limited to the key rotation process only. As a security best practice, deactivate the old SSH public key once a new key is created so that only one active key remains for the IAM user.

Rationale

Similar to IAM access keys, maintaining multiple active SSH public keys for a single IAM user increases security risk if any of the credentials are lost, stolen, or mismanaged. Restricting users to a single active key simplifies auditing and helps ensure that outdated or redundant credentials are not left enabled.

Audit

This policy flags an AWS IAM User as INCOMPLIANT if more than one related AWS IAM SSH Public Key is in the Active state.

An AWS IAM User is marked as INAPPLICABLE if it has no associated Active AWS IAM SSH Public Key.

Remediation

Open File

Remediation

Deactivate Redundant IAM SSH Public Key

Deactivate any unnecessary or redundant IAM SSH public keys used to authenticate access to AWS CodeCommit repositories.

From Command Line

Run the update-ssh-public-key command to deactivate a non-operational or redundant SSH public key associated with the specified IAM user:

aws iam update-ssh-public-key \
    --region {{region}} \
    --user-name {{user-name}} \
    --ssh-public-key-id {{ssh-key-id}} \
    --status Inactive

After deactivation, confirm that the remaining active SSH public key is functioning correctly and that access to AWS CodeCommit repositories is not disrupted.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Well-Architected → 💼 SEC03-BP06 Manage access based on lifecycle			2		no data
💼 Cloudaware Framework → 💼 Credential Lifecycle Management			24		no data