Control: 1.4 Ensure access keys are rotated every 90 days or less
Description
Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.
Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.
Remediation
Perform the following to rotate access keys:
- Login to the AWS Management Console:
- Click
Services. - Click
IAM. - Click on
Users. - Click on
Security Credentials. - As an Administrator
- Click on
Make Inactivefor keys that have not been rotated in90Days.
- As an IAM User
- Click on
Make InactiveorDeletefor keys which have not been rotated or used in90Days.
- Click on
Create Access Key. - Update programmatic call with new Access Key credentials.
Via CLI
aws iam update-access-keyaws iam create-access-keyaws iam delete-access-key
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v120_1_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v120_1_4 --shareSQL
This control uses a named query:
iam_user_access_key_age_90