Control: 2.10 Do not create access keys during initial setup for IAM users with a console password
Description
AWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM User credentials you have to determine what type of access they require.
Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user.
AWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user.
Remediation
Perform the following to delete access keys that do not pass the audit:
From Console:
- Login to the AWS Management Console:
- Click
Services
. - Click
IAM
. - Click on
Users
- Click on
Security Credentials
. - As an Administrator
- Click on the X (Delete) for keys that were created at the same time as the user profile but have not been used.
- As an IAM User
- Click on the X (Delete) for keys that were created at the same time as the user profile but have not been used.
From Command Line:
for user in $(aws iam list-users --query 'Users[*].UserName' --output text);do # Get user creation date user_create_date=$(aws iam get-user --user-name "$user" --query'User.CreateDate' --output text) # Get access keys access_keys=$(aws iam list-access-keys --user-name "$user" --query'AccessKeyMetadata' --output json) # Only print if access keys exist if [ "$access_keys" != "[]" ]; then aws iam list-access-keys --user-name "$user" \ --query "AccessKeyMetadata[*].{UserName:'$user', UserCreateDate:'$user_create_date', AccessKeyId:AccessKeyId, AccessKeyCreateDate:CreateDate}" \ --output table fidone
Default Value:
By default, when creating a new IAM user, AWS does not enable programmatic access or create access keys unless explicitly selected during user setup.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v600_2_10
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v600_2_10 --share
SQL
This control uses a named query:
select user_arn as resource, case -- alarm when password is enabled and the key was created within 10 seconds of the user when password_enabled and (extract(epoch from (access_key_1_last_rotated - user_creation_time)) < 10) then 'alarm' else 'ok' end as status, case when not password_enabled then user_name || ' password login disabled.' when access_key_1_last_rotated is null then user_name || ' has no access keys.' when password_enabled and (extract(epoch from (access_key_1_last_rotated - user_creation_time)) < 10) then user_name || ' has access key created during user creation and password login enabled.' else user_name || ' has access key not created during user creation.' end as reason , account_idfrom aws_iam_credential_report;