turbot/steampipe-mod-aws-compliance

Control: 2.10 Do not create access keys during initial setup for IAM users with a console password

Description

AWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM User credentials you have to determine what type of access they require.

Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user.

AWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user.

Remediation

Perform the following to delete access keys that do not pass the audit:

From Console:

  1. Login to the AWS Management Console:
  2. Click Services.
  3. Click IAM.
  4. Click on Users
  5. Click on Security Credentials.
  6. As an Administrator
  • Click on the X (Delete) for keys that were created at the same time as the user profile but have not been used.
  1. As an IAM User
  • Click on the X (Delete) for keys that were created at the same time as the user profile but have not been used.

From Command Line:

for user in $(aws iam list-users --query 'Users[*].UserName' --output text);
do
# Get user creation date
user_create_date=$(aws iam get-user --user-name "$user" --query
'User.CreateDate' --output text)
# Get access keys
access_keys=$(aws iam list-access-keys --user-name "$user" --query
'AccessKeyMetadata' --output json)
# Only print if access keys exist
if [ "$access_keys" != "[]" ]; then
aws iam list-access-keys --user-name "$user" \
--query "AccessKeyMetadata[*].{UserName:'$user',
UserCreateDate:'$user_create_date', AccessKeyId:AccessKeyId,
AccessKeyCreateDate:CreateDate}" \
--output table
fi
done

Default Value:

By default, when creating a new IAM user, AWS does not enable programmatic access or create access keys unless explicitly selected during user setup.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v600_2_10

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v600_2_10 --share

SQL

This control uses a named query:

select
user_arn as resource,
case
-- alarm when password is enabled and the key was created within 10 seconds of the user
when password_enabled and (extract(epoch from (access_key_1_last_rotated - user_creation_time)) < 10) then 'alarm'
else 'ok'
end as status,
case
when not password_enabled then user_name || ' password login disabled.'
when access_key_1_last_rotated is null then user_name || ' has no access keys.'
when password_enabled and (extract(epoch from (access_key_1_last_rotated - user_creation_time)) < 10)
then user_name || ' has access key created during user creation and password login enabled.'
else user_name || ' has access key not created during user creation.'
end as reason
, account_id
from
aws_iam_credential_report;

Tags