π‘οΈ AWS IAM User has more than one active SSH public keyπ’
- Contextual name: π‘οΈ User has more than one active SSH public keyπ’
- ID:
/ce/ca/aws/iam/user-has-more-than-one-active-ssh-public-key - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicβ
- π§ prod.logic.yamlπ’
Similar Policiesβ
- Cloud Conformity: Unnecessary SSH Public Keys
Descriptionβ
Descriptionβ
Identify and deactivate unnecessary IAM SSH public keys used to authenticate access to AWS CodeCommit repositories. AWS allows up to two active SSH public keys per IAM user; however, maintaining two keys should be limited to the key rotation process only. As a security best practice, deactivate the old SSH public key once a new key is created so that only one active key remains for the IAM user.
Rationaleβ
Similar to IAM access keys, maintaining multiple active SSH public keys for a single IAM user increases security risk if any of the credentials are lost, stolen, or mismanaged. Restricting users to a single active key simplifies auditing and helps ensure that outdated or redundant credentials are not left enabled.
Auditβ
This policy flags an AWS IAM User as
INCOMPLIANTif more than one related AWS IAM SSH Public Key is in the Active state.An AWS IAM User is marked as
INAPPLICABLEif it has no associated Active AWS IAM SSH Public Key.
Remediationβ
Remediationβ
Deactivate Redundant IAM SSH Public Keyβ
Deactivate any unnecessary or redundant IAM SSH public keys used to authenticate access to AWS CodeCommit repositories.
From Command Lineβ
Run the
update-ssh-public-keycommand to deactivate a non-operational or redundant SSH public key associated with the specified IAM user:aws iam update-ssh-public-key \
--region {{region}} \
--user-name {{user-name}} \
--ssh-public-key-id {{ssh-key-id}} \
--status InactiveAfter deactivation, confirm that the remaining active SSH public key is functioning correctly and that access to AWS CodeCommit repositories is not disrupted.
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ AWS Well-Architected β πΌ SEC03-BP06 Manage access based on lifecycle | 2 | no data | |||
| πΌ Cloudaware Framework β πΌ Credential Lifecycle Management | 23 | no data |