Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1598Benchmarks
674Queries
9Variables
GitHub

Control: 1.4 Ensure access keys are rotated every 90 days or less

Description

Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.

Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.

Remediation

Perform the following to rotate access keys:

  1. Login to the AWS Management Console:
  2. Click Services.
  3. Click IAM.
  4. Click on Users.
  5. Click on Security Credentials.
  6. As an Administrator
  • Click on Make Inactive for keys that have not been rotated in 90 Days.
  1. As an IAM User
  • Click on Make Inactive or Delete for keys which have not been rotated or used in 90 Days.
  1. Click on Create Access Key.
  2. Update programmatic call with new Access Key credentials.

Via CLI

aws iam update-access-key
aws iam create-access-key
aws iam delete-access-key

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v120_1_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v120_1_4 --share

SQL

This control uses a named query:

select
  'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id as resource,
  case
    when status <> 'Active' then 'skip'
    when create_date <= (current_date - interval '90' day) then 'alarm'
    else 'ok'
  end status,
  case
    when status <> 'Active' then user_name || ' ' || access_key_id || ' status is ' || status || '.'
    else user_name || ' ' || access_key_id || ' created ' || to_char(create_date , 'DD-Mon-YYYY') ||
    ' (' || extract(day from current_timestamp - create_date) || ' days).'
  end reason
  , account_id
from
  aws_iam_access_key;

Tags

category = Compliance
cis = true
cis_item_id = 1.4
cis_level = 1
cis_section_id = 1
cis_type = scored
cis_version = v1.2.0
plugin = aws
service = AWS/IAM