turbot/steampipe-mod-aws-compliance

Control: IAM user access keys should be rotated at least every 90 days

Description

The credentials are audited for authorized devices, users, and processes by ensuring IAM access keys are rotated as per organizational policy.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.iam_user_access_key_age_90

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.iam_user_access_key_age_90 --share

SQL

This control uses a named query:

select
'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id as resource,
case
when status <> 'Active' then 'skip'
when create_date <= (current_date - interval '90' day) then 'alarm'
else 'ok'
end status,
case
when status <> 'Active' then user_name || ' ' || access_key_id || ' status is ' || status || '.'
else user_name || ' ' || access_key_id || ' created ' || to_char(create_date , 'DD-Mon-YYYY') ||
' (' || extract(day from current_timestamp - create_date) || ' days).'
end reason
, account_id
from
aws_iam_access_key;

Tags