v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 1.13 Ensure there is only one active access key available for any single IAM user

Description

Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).

One of the best ways to protect your account is to not allow users to have multiple access keys as this is being used for programmatic requests.

Remediation

From Console:

Perform the following action to deactivate access keys:

  1. Sign into the AWS console as an Administrator and navigate to the IAM Dashboard.
  2. In the left navigation pane, choose Users.
  3. Click on the User name for which more than one active access key exists.
  4. Click on Security credentials tab.
  5. Click on the Make inactive to deactivate the non-operational key.

Note: Test your application to make sure that the active access key is working.

From Command Line:

Run the update-access-key command below using the IAM user name and the non-operational access key IDs to deactivate the unnecessary key.

aws iam update-access-key --access-key-id <access-key-id> --status Inactive - -user-name <user-name>

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v140_1_13

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v140_1_13 --share

SQL

This control uses a named query:

iam_user_one_active_key

Tags

category = Compliance
cis = true
cis_item_id = 1.13
cis_level = 1
cis_section_id = 1
cis_type = automated
cis_version = v1.4.0
plugin = aws
service = AWS/IAM