🛡️ AWS IAM User with console and programmatic access set during the initial creation🟢⚪

• Contextual name: 🛡️ User with console and programmatic access set during the initial creation🟢⚪
• ID: /ce/ca/aws/iam/user-with-console-and-programmatic-access-set-during-creation
• Tags:
  • ⚪ Impossible policy
  • 🟢 Policy with categories
  • 🟢 Policy with type
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Similar Policies

• Cloud Conformity: Access Keys During Initial IAM User Setup
• Internal: dec-x-b10e98af

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-b10e98af	1

Description

Open File

Description

The AWS console defaults to no checkboxes selected when creating a new IAM user. When creating IAM user credentials, you have to determine what type of access they require.

Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user.

AWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user.

Rationale

Requiring the additional steps to be taken by the user for programmatic access after their profile has been created provides a stronger indication of intent that access keys are (a) necessary for their work and (b) once the access key is established on an account, the keys may be in use somewhere in the organization.

Note: Even if it is known the user will need access keys, require them to create the keys themselves or submit a support ticket to have them created as a separate step from user creation.

... see more

Remediation

Open File

Remediation

Perform the following to delete access keys that do not pass the audit:

From Console

1. Log in to the AWS Management Console.
2. Click Services.
3. Click IAM.
4. Click on Users.
5. Click on Security Credentials.
6. As an Administrator:
   • Click on the X (Delete) for keys that were created at the same time as the user profile but have not been used.
7. As an IAM User:
   • Click on the X (Delete) for keys that were created at the same time as the user profile but have not been used.

From Command Line

aws iam delete-access-key --access-key-id {{access-key-id-listed}} --user-name {{user-name}}

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS AWS v1.2.0 → 💼 1.21 Do not setup access keys during initial user setup for all IAM users that have a console password		1	1		no data
💼 CIS AWS v1.3.0 → 💼 1.11 Do not setup access keys during initial user setup for all IAM users that have a console password		1	1		no data
💼 CIS AWS v1.4.0 → 💼 1.11 Do not setup access keys during initial user setup for all IAM users that have a console password		1	1		no data
💼 CIS AWS v1.5.0 → 💼 1.11 Do not setup access keys during initial user setup for all IAM users that have a console password - Level 1 (Automated)		1	1		no data
💼 CIS AWS v2.0.0 → 💼 1.11 Do not setup access keys during initial user setup for all IAM users that have a console password - Level 1 (Manual)		1	1		no data
💼 CIS AWS v3.0.0 → 💼 1.11 Do not setup access keys during initial user setup for all IAM users that have a console password - Level 1 (Manual)		1	1		no data
💼 CIS AWS v4.0.0 → 💼 1.11 Do not create access keys during initial setup for IAM users with a console password (Manual)			1		no data
💼 CIS AWS v4.0.1 → 💼 1.11 Do not create access keys during initial setup for IAM users with a console password (Manual)			1		no data
💼 CIS AWS v5.0.0 → 💼 1.10 Do not create access keys during initial setup for IAM users with a console password (Manual)			1		no data
💼 CIS AWS v6.0.0 → 💼 2.10 Do not create access keys during initial setup for IAM users with a console password (Manual)			1		no data
💼 Cloudaware Framework → 💼 Credential Lifecycle Management			32		no data
💼 FedRAMP High Security Controls → 💼 AC-6(2) Non-privileged Access for Nonsecurity Functions (M)(H)		1	6		no data
💼 FedRAMP High Security Controls → 💼 AC-6(5) Privileged Accounts (M)(H)		3	5		no data
💼 FedRAMP High Security Controls → 💼 IA-5 Authenticator Management (L)(M)(H)	6	14	37		no data
💼 FedRAMP High Security Controls → 💼 IA-5(2) Public Key-based Authentication (M)(H)		1	1		no data
💼 FedRAMP High Security Controls → 💼 IA-5(13) Expiration of Cached Authenticators (H)		1	1		no data
💼 FedRAMP High Security Controls → 💼 SC-12 Cryptographic Key Establishment and Management (L)(M)(H)	1	9	12		no data
💼 FedRAMP Low Security Controls → 💼 IA-5 Authenticator Management (L)(M)(H)	1		37		no data
💼 FedRAMP Low Security Controls → 💼 SC-12 Cryptographic Key Establishment and Management (L)(M)(H)			12		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(2) Non-privileged Access for Nonsecurity Functions (M)(H)			6		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(5) Privileged Accounts (M)(H)			5		no data
💼 FedRAMP Moderate Security Controls → 💼 IA-5 Authenticator Management (L)(M)(H)	4		37		no data
💼 FedRAMP Moderate Security Controls → 💼 IA-5(2) Public Key-based Authentication (M)(H)			1		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-12 Cryptographic Key Establishment and Management (L)(M)(H)			12		no data
💼 ISO/IEC 27001:2013 → 💼 A.9.2.4 Management of secret authentication information of users		8	10		no data
💼 ISO/IEC 27001:2013 → 💼 A.10.1.2 Key management		9	12		no data
💼 ISO/IEC 27001:2022 → 💼 5.10 Acceptable use of information and other associated assets		12	28		no data
💼 ISO/IEC 27001:2022 → 💼 5.15 Access control		15	32		no data
💼 ISO/IEC 27001:2022 → 💼 8.2 Privileged access rights		7	10		no data
💼 ISO/IEC 27001:2022 → 💼 8.3 Information access restriction		11	25		no data
💼 ISO/IEC 27001:2022 → 💼 8.4 Access to source code		9	23		no data
💼 NIST CSF v1.1 → 💼 PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes		19	34		no data
💼 NIST CSF v1.1 → 💼 PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions		4	13		no data
💼 NIST CSF v1.1 → 💼 PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)		20	24		no data
💼 NIST CSF v1.1 → 💼 PR.DS-1: Data-at-rest is protected		15	30		no data
💼 NIST CSF v1.1 → 💼 PR.DS-2: Data-in-transit is protected		16	53		no data
💼 NIST CSF v2.0 → 💼 PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization			47		no data
💼 NIST CSF v2.0 → 💼 PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions			13		no data
💼 NIST CSF v2.0 → 💼 PR.AA-03: Users, services, and hardware are authenticated			54		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			144		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			196		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			167		no data
💼 NIST SP 800-53 Revision 4 → 💼 IA-5 (13) EXPIRATION OF CACHED AUTHENTICATORS		1	1		no data
💼 NIST SP 800-53 Revision 4 → 💼 IA-5 AUTHENTICATOR MANAGEMENT	15	2	2		no data
💼 NIST SP 800-53 Revision 4 → 💼 SC-12 (2) SYMMETRIC KEYS		1	1		no data
💼 NIST SP 800-53 Revision 4 → 💼 SC-12 (3) ASYMMETRIC KEYS		1	1		no data
💼 NIST SP 800-53 Revision 4 → 💼 SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT	5	4	5		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(2) Least Privilege _ Non-privileged Access for Nonsecurity Functions		4	6		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(5) Least Privilege _ Privileged Accounts		3	3		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-12(2) Cryptographic Key Establishment and Management _ Symmetric Keys		1	4		no data
💼 SOC 2 → 💼 CC6.1-8 Manages Identification and Authentication		18	25		no data