Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-alicloud-compliance
Overview
1Dashboards
78Benchmarks
40Queries
2Variables
GitHub

Control: 1.6 Ensure access keys are rotated every 90 days or less

Description

An access key consists of an access key ID and a secret, which are used to sign programmatic requests that you make to Alibaba Cloud. RAM users need their own access keys to make programmatic calls to Alibaba Cloud from the Alibaba Cloud SDKs, CLIs, or direct HTTP/HTTPS calls using the APIs for individual Alibaba Cloud services. It is recommended that all access keys be regularly rotated.

Remediation

Perform the following to determine if access keys are rotated within 90 days:

From Console

  1. Logon to RAM console.
  2. In the left-side navigation pane, click Users under Identities.
  3. In the User Logon Name/Display Name column, click the username of the target RAM user.
  4. In the User AccessKeys section, click Create AccessKey.
  5. Click OK to create a new AccessKy pair for rotation.
  6. Update all applications and systems to use the new AccessKey pair.
  7. Disable the original AccessKey pair by following below steps:
    • Log on to RAM console.
    • In the left-side navigation pane, click Users under Identities.
    • On the Users page, click username of the target RAM user in the User Logon Name/Display Name column.
    • In the User AccessKeys section, find the target AccessKey pair and click Disable.
  8. Confirm that your applications and systems are working.
  9. Delete the original AccessKey pair by following below steps:
    • Log on to RAM console.
    • In the left-side navigation pane, click Users under Identities.
    • In the User Logon Name/Display Name column, click the username of the target RAM user.
    • In the User AccessKeys section, find the target access keys and Click Delete.
    • In the dialog box that appears, select I am aware of the risk and confirm the deletion.
  10. Click OK.

From Command Line

  • Run the following command to delete an access key:
aliyun ram DeleteAccessKey --UserAccessKeyId <access_key_ID> --UserName <ram_user >
  • Run the following command to disable an active access key:
aliyun ram UpdateAccessKey --UserAccessKeyId <access_key_ID> --Status Inactive --UserName <ram_user>
  • Run the following command to delete an access key:
aliyun ram DeleteAccessKey --UserAccessKeyId <access_key_ID> --UserName <ram_user >

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v100_1_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v100_1_6 --share

SQL

This control uses a named query:

select
  'acs:ram::' || account_id || ':user/' || user_name ||  '/accesskey/' ||  access_key_id as resource,
  case
    when create_date <= (current_date - interval '90' day) then 'alarm'
    else 'ok'
  end as status,
  user_name || ' ' || access_key_id || ' created ' || to_char(create_date , 'DD-Mon-YYYY') ||
    ' (' || extract(day from current_timestamp - create_date) || ' days).'
  as reason
  , account_id as account_id
from
  alicloud_ram_access_key;

Tags

category = Compliance
cis = true
cis_item_id = 1.6
cis_level = 1
cis_section_id = 1
cis_type = automated
cis_version = v1.0.0
plugin = alicloud
service = AliCloud/RAM