Use the Conformity Knowledge Base AI to help improve your Cloud Posture

IAM User with Password and Access Keys

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: IAM-024

Ensure that your Amazon IAM users are either being used for API access or for management console access in order to reduce the risk of unauthorized access in case the user credentials (access keys or passwords) are compromised.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Segregating the IAM users within your account by controlling their privileges will help you maintain a secure AWS cloud environment. Trend Cloud One™ – Conformity strongly recommends that you follow the Principle of Least Privilege and grant your IAM users the minimum amount of privileges necessary to perform the assigned task. Application users should use only access keys to programmatically access data in AWS cloud and administrators who need console access should use only passwords to manage AWS resources.


Audit

To determine if your IAM users have both access keys and passwords assigned for authentication, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Users.

04 Click on the name (link) of the IAM user that you want to examine.

05 Select the Security credentials tab to access the configuration information available for the IAM user credentials.

06 In the Access Keys section, check for any access key pairs created for the selected IAM user. If the user has one or more access key pairs attached, the selected IAM user profile is used for API access.

07 In the Sign-In credentials section, check the Console password configuration status. If the Console password status is set to Enabled, the selected Amazon IAM user can access the AWS Management Console using a password.

08 If the verified Amazon IAM user is configured to use passwords and has one or more access keys attached, the authentication configuration of the selected IAM user is not compliant.

09 Repeat steps no. 4 – 7 for each IAM user available within your AWS account.

Using AWS CLI

01 Run list-users command (OSX/Linux/UNIX) using custom query filters to list the names of all the IAM users available within your AWS account:

aws iam list-users
  --output table
  --query 'Users[*].UserName'

02 The command output should return a table with the requested IAM user identifiers:

------------------------
|      ListUsers       |
+----------------------+
|  cc-project5-admin   |
|  cc-s3-data-manager  |
+----------------------+

03 Run list-access-keys command (OSX/Linux/UNIX) using the name of the Amazon IAM user that you want to examine as the identifier parameter and custom filtering to describe each access key created for the selected IAM user:

aws iam list-access-keys
  --user-name cc-project5-admin
  --query 'AccessKeyMetadata[*]'

04 The command output should return the metadata available for each requested access key:

[
  {
    "UserName": "cc-project5-admin",
    "AccessKeyId": "ABCDABCDABCDABCDABCD",
    "Status": "Active",
    "CreateDate": "2021-01-16T08:13:13+00:00"
  },
  {
    "UserName": "cc-project5-admin",
    "AccessKeyId": "AAAABBBBCCCCDDDDAAAA",
    "Status": "Active",
    "CreateDate": "2021-03-10T08:13:34+00:00"
  }
]

If the list-access-keys command output returns one or more active access key pairs, the selected IAM user profile is used for API access.

05 Run get-login-profile command (OSX/Linux/UNIX) to describe the login profile available for the selected IAM user:

aws iam get-login-profile
  --user-name cc-project5-admin

06 The command output should return the login profile configured for the selected user or a 404 NoSuchEntity error if there is no login profile available:

{
  "LoginProfile": {
    "UserName": "cc-project5-admin",
    "CreateDate": "2021-02-10T10:40:00+00:00",
    "PasswordResetRequired": false
  }
}

If the get-login-profile command returns the requested login profile information, as shown in the example above, the selected Amazon IAM user can access the AWS Management Console using a password.

07 If the verified Amazon IAM user is configured to use passwords and has one or more access keys attached, the authentication configuration of the selected IAM user is not compliant.

08 Repeat steps no. 3 – 7 for each IAM user available within your AWS account.

Remediation / Resolution

Using AWS Console

Case A: To modify the authentication configuration for your Amazon IAM users and disable the authentication via IAM access keys, perform the following operations:

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Users.

04 Click on the name of the Amazon IAM user that doesn't require access keys (e.g. human users with certain job functions or responsibilities such as AWS console administrators).

05 Select the Security credentials tab and remove each active IAM access key by clicking the x (Delete) button displayed for each key entry.

06 Inside the Delete <access-key-id>? confirmation box, choose Deactivate to decommission the selected key, enter the access key ID in the required input field, then choose Delete to remove the selected access key pair.

07 Repeat steps no. 4 – 6 for each IAM user that you want to reconfigure, available in your AWS cloud account.



Case B: To modify the authentication configuration for your Amazon IAM users and disable the authentication using passwords, perform the following operations:

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Users.

04 Click on the name of the IAM user that doesn't require access via AWS Management Console (e.g. programmatic IAM entity that interacts with AWS services and resources through the API using access keys for access).

05 Select the Security credentials tab and click on the Manage link available next to the Console password attribute value.

06 Inside the Manage console access configuration box, choose Disable next to Console access to remove the account password associated with the selected IAM user and deactivate the user access to the AWS Management Console. Choose Apply to save the configuration changes.

07 Repeat steps no. 4 – 6 for each IAM user that you want to reconfigure, available in your AWS cloud account.

Using AWS CLI

Case A: To modify the authentication configuration for your Amazon IAM users and disable the authentication via IAM access keys, perform the following operations:

01 Run delete-access-key command (OSX/Linux/UNIX) to remove the active access key pair configured for the Amazon IAM user that doesn't require access keys (e.g. human users with certain job functions or responsibilities such as AWS console administrators). Repeat this step for each active access key created for the selected IAM user. If successful, the delete-access-key command request does not produce an output:

aws iam delete-access-key
  --access-key ABCDABCDABCDABCDABCD
  --user-name cc-project5-admin

02 Repeat step no. 1 for each IAM user that you want to reconfigure, available within your AWS cloud account.



Case B: To modify the authentication configuration for your Amazon IAM users and disable the authentication using passwords, perform the following operations:

01 Run delete-login-profile command (OSX/Linux/UNIX) to delete the password assigned to the Amazon IAM user that doesn't require access via AWS Management Console (e.g. programmatic IAM entity that interacts with AWS services and resources through the API using access keys). If successful, the delete-login-profile command request does not produce an output):

aws iam delete-login-profile
  --user-name cc-project5-admin

02 Repeat step no. 1 for each IAM user that you want to reconfigure, available within your AWS cloud account.

References

Publication date May 24, 2016