Skip to main content

πŸ“ AWS IAM User with console and programmatic access set during the initial creation 🟒

  • Contextual name: πŸ“ User with console and programmatic access set during the initial creation 🟒
  • ID: /ce/ca/aws/iam/user-with-console-and-programmatic-access-set-during-creation
  • Located in: πŸ“ AWS IAM

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-b10e98af1

Description​

Open File

Description​

AWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM User credentials you have to determine what type of access they require.

Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user.

AWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user.

Rationale​

Requiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization.

Note: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.

... see more

Remediation​

Open File

Remediation​

Perform the following to delete access keys that do not pass the audit:

From Console​

  1. Login to the AWS Management Console.
  2. Click Services.
  3. Click IAM.
  4. Click on Users.
  5. Click on Security Credentials.
  6. As an Administrator.
    • Click on the X (Delete) for keys that were created at the same time as the user profile but have not been used.
  7. As an IAM User.
    • Click on the X (Delete) for keys that were created at the same time as the user profile but have not been used.

From Command Line​

aws iam delete-access-key --access-key-id <access-key-id-listed> --user-name <users-name>

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS AWS v1.2.0 β†’ πŸ’Ό 1.21 Do not setup access keys during initial user setup for all IAM users that have a console password11
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 1.11 Do not setup access keys during initial user setup for all IAM users that have a console password11
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 1.11 Do not setup access keys during initial user setup for all IAM users that have a console password11
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 1.11 Do not setup access keys during initial user setup for all IAM users that have a console password - Level 1 (Automated)11
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 1.11 Do not setup access keys during initial user setup for all IAM users that have a console password - Level 1 (Manual)11
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 1.11 Do not setup access keys during initial user setup for all IAM users that have a console password - Level 1 (Manual)11
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 1.11 Do not create access keys during initial setup for IAM users with a console password (Manual)1
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 1.11 Do not create access keys during initial setup for IAM users with a console password (Manual)1
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 1.10 Do not create access keys during initial setup for IAM users with a console password (Manual)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Credential Lifecycle Management17
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(2) Non-privileged Access for Nonsecurity Functions (M)(H)14
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(5) Privileged Accounts (M)(H)35
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)61420
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5(2) Public Key-based Authentication (M)(H)11
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5(13) Expiration of Cached Authenticators (H)11
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)1911
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)120
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)11
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(2) Non-privileged Access for Nonsecurity Functions (M)(H)4
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(5) Privileged Accounts (M)(H)5
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)420
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5(2) Public Key-based Authentication (M)(H)1
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-12 Cryptographic Key Establishment and Management (L)(M)(H)11
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.2.4 Management of secret authentication information of users810
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.10.1.2 Key management911
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.10 Acceptable use of information and other associated assets1114
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.15 Access control1416
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.2 Privileged access rights77
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.3 Information access restriction1011
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.4 Access to source code89
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1922
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions48
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)1922
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-1: Data-at-rest is protected1519
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-2: Data-in-transit is protected1421
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization23
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions8
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-03: Users, services, and hardware are authenticated22
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties58
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected82
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected69
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό IA-5 (13) EXPIRATION OF CACHED AUTHENTICATORS11
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό IA-5 AUTHENTICATOR MANAGEMENT1522
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό SC-12 (2) SYMMETRIC KEYS11
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό SC-12 (3) ASYMMETRIC KEYS11
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT544
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6(2) Least Privilege _ Non-privileged Access for Nonsecurity Functions44
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6(5) Least Privilege _ Privileged Accounts33
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-12(2) Cryptographic Key Establishment and Management _ Symmetric Keys11