Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Access Keys During Initial IAM User Setup

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: IAM-043

Ensure that no Amazon IAM access keys are created during initial setup for all IAM users that have a console password. By default, during IAM user setup process, AWS Management Console sets the checkbox for creating access keys to enabled, generating unnecessary access credentials that need to be managed and protected against exposure.

This rule can help you with the following compliance standards:

  • CISAWSF
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Unnecessary AWS IAM access keys generate unnecessary management work in auditing and rotating IAM credentials. Even if it's known that the IAM user will need these keys, Cloud Conformity recommends promoting the access keys creation as a separate step from IAM user creation as security best practice.

Audit

To identify any access keys created during IAM user initial setup, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Click on the IAM user that you want to examine.

05 On the Summary page, check the user creation date listed as value for the Creation time attribute.

06 Select Security Credentials tab, search for any active access keys available inside Access Keys section and verify their creation date listed in Created column.

07 Compare the IAM user creation date (step no. 5) to each access key creation date (step no. 6). If the creation dates match, the key pair was created during initial user setup. If the access keys that were created at the same time as the selected IAM user profile do not have a last used date (i.e. Last used attribute value is set to N/A), the verified IAM access key pair is considered unnecessary and can be deleted from your AWS account.

08 Repeat steps no. 4 – 7 for each IAM user created within your AWS account.

Using AWS CLI

01 Run get-credential-report command (OSX/Linux/UNIX) to obtain the IAM credential report for your AWS account. A credential report is a CSV document that lists all users (root and IAM users) currently available in your AWS account and the current status of their credentials: 

aws iam get-credential-report

02 The command output should return the document in a TEXT/CSV format, encoded with the Base64 encoding scheme, e.g.: 

{
    "Content": "aaaabbbbccccddddeeee ... ffffgggghhhhiiiijjjj=",
    "GeneratedTime": "2017-12-05T18:34:53Z",
    "ReportFormat": "text/csv"
}

03 Decode the IAM credential report content from the command line (OSX/Linux/UNIX) using the Base64 string returned at the previous step as the input data. In the following example, the report is decoded and saved to a file named aws-iam-credentials-report.csv: 

echo -n aaaabbbbccccddddeeee ... ffffgggghhhhiiiijjjj= | base64 –d >> aws-iam-credentials-report.csv

04 Open aws-iam-credentials-report.csv in your favorite file editor and check the value available in the user_creation_time column for each listed AWS IAM user. The user_creation_time attribute describes the date and time when the IAM user profile was created. Now check the value available in the access_key_1_last_rotated column. The access_key_1_last_rotated attribute describes the date and time when the first IAM access key pair was created (or rotated). Compare the IAM user creation date (user_creation_time value) to the first access key creation date (access_key_1_last_rotated value). If the creation dates match, the key pair was created during initial user setup. If the access keys that were created at the same time as the selected IAM user profile do not have a last used date (i.e. ccess_key_1_last_used_datea attribute value within aws-iam-credentials-report.csv file is set to N/A), the verified IAM access key pair is considered unnecessary and can be safely removed from your AWS account.

05 Repeat step no. 4 for each IAM user created within your AWS account.

Remediation / Resolution

To remove any unnecessary and unused AWS IAM access keys, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Click on the name of the IAM user associated with the unnecessary access keys.

05 On the Summary page, select Security Credentials tab.

06 Inside Access Keys section, locate the unnecessary and unused access key pair (see Audit section to identify the right IAM credentials) and delete it by clicking the x button, accessible in the Status column.

07 Repeat steps no. 4 – 6 to remove unnecessary access credentials for other IAM users created within your AWS account.

Using AWS CLI

01 Run delete-access-key command (OSX/Linux/UNIX) to remove the unnecessary and unused AWS IAM credentials (see Audit section to identify the right keys) from your AWS account. The following command example deletes an access key pair with the ID "AAAABBBBCCCCDDDDEEEE", created for an IAM user with the name "cc-ec2-manager". If the --user-name parameter is not specified, the IAM user name is determined implicitly based on the AWS access key ID used to sign the delete-access-key command request. If successful, the command does not produce an output: 

aws iam delete-access-key
	--access-key AAAABBBBCCCCDDDDEEEE
	--user-name cc-ec2-manager

02 Repeat step no. 1 to remove unnecessary access credentials for other IAM users available in your AWS account.

References

Publication date Dec 6, 2017

Related IAM rules