Use the Conformity Knowledge Base AI to help improve your Cloud Posture

SSH Public Keys Rotated 45 Days

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: IAM-027

Ensure that all your IAM SSH public keys are rotated every 45 days in order to decrease the likelihood of accidental exposures and protect your AWS CodeCommit repositories from unauthorized access.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Rotating periodically the SSH keys assigned to your IAM users will significantly reduce the chances that a compromised set of keys can be used without your knowledge to access your private repositories hosted with AWS CodeCommit.


Audit

To determine if your AWS IAM users keep any outdated (older than 45 days) SSH public keys, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Click on the IAM user name that you want to examine.

05 On the IAM user configuration page, select Security Credentials tab.

06 Under SSH keys for AWS CodeCommit section, in the Uploaded column:

Under SSH keys for AWS CodeCommit section, in the Uploaded column

check for any SSH keys older than 45 days with the status set to Active:

check for any SSH keys older than 45 days with the status set to Active

If an active public key is older than 45 days, the key is outdated and needs to be changed in order to secure the access to your private Git repositories.

07 Repeat steps no. 4 – 6 for each IAM user that you want to examine, available in your AWS account.

Using AWS CLI

01 Run list-users command (OSX/Linux/UNIX) to list all IAM users available within your account:

aws iam list-users
	--query 'Users[*].UserName'

02 The command output should return an array that contains all IAM user names:

[
    "Jack",
    "Robert",
    ...
    "Philip"
]

03 Run list-ssh-public-keys command (OSX/Linux/UNIX) using the IAM user name that you want to examine as command parameter to return the metadata of each SSH public key assigned to the selected IAM user:

aws iam list-ssh-public-keys
	--region us-east-1
	--user-name Jack

04 The command output should return the metadata of each SSH key currently available:

{
    "SSHPublicKeys": [
        {
            "UserName": "Jack",
            "Status": "Active",
            "SSHPublicKeyId": "APKAJYZYI7KYMA6S25CQ",
            "UploadDate": "2015-07-20T12:35:50Z"
        }
    ]
}

Verify the UploadDate property value for each active SSH key returned to determine its upload date. If the IAM user SSH public key lifetime is longer than 45 days, the key is outdated and it must be changed (rotated) in order to secure the access to AWS CodeCommit repositories.

05 Repeat steps no. 3 and 4 for each IAM user that you want to examine, available in your AWS account.

Remediation / Resolution

To rotate (change) your outdated IAM SSH public keys, you need to perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Click on the IAM user name that you want to examine.

05 On the IAM user configuration page, select Security Credentials tab.

06 In SSH keys for AWS CodeCommit section, click Upload SSH public key button to initiate the upload process for the new SSH public key, e.g.

click Upload SSH public key button to initiate the upload process for the new SSH public key

07 Click Upload SSH public key button to upload the brand new public key to AWS IAM.

08 Click the Close button to close the dialog box and return to the configuration page. The IAM user should have now two active SSH public keys.

09 Update your AWS CodeCommit SSH connection configuration by replacing the existing SSH Key ID (e.g., APKAJYZYI7KYMA6S25CQ) with the new key ID, then test the new public key by connecting to the necessary repositories. This test is performed to ensure that the newly added SSH key is working properly.

10 Once the new public key is validated, return to the IAM user configuration page, identify the outdated key and click the Delete link:

 identify the outdated key and click the Delete link

to remove it from AWS IAM.

11 In the Delete SSH Key confirmation box, click Delete to remove the selected key.

12 Repeat steps no. 4 – 11 to replace any outdated SSH public keys assigned to other IAM users available in your AWS account.

Using AWS CLI

01 Run upload-ssh-public-key command (OSX/Linux/UNIX) using the IAM user name and the SSH public key (encoded in PEM or SSH-RSA format) as command parameters to upload the new key to AWS IAM. The following example uploads an SSH-RSA public key and assign it to an IAM user named "Jack":

aws iam upload-ssh-public-key
	--region us-east-1
	--user-name Jack
	--ssh-public-key-body 'ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAipfY1cM3Scrg5Av57ndpWKc/6Nrb6fi0mkGp6yP96VBAVmIaayxntSQokYCbcIsJvWkN5pPzCINBfM8YHQIvDePyrNC+TmA2t5JWVsUh40FZ8jK6gdlCOQTxLqZbdUxgYj1YUsa+hwxfyzGGADTzs726uvSpru0P4CVUm9s6r/SOP9jGmn8r+tiarWf5Kr9+QCMlrajj8/RGr0bdlSWQG9SSh1xlw6/dmy1s1G/sUvD72YiT7hMpYB/perKbcaADLN9Dle4daBT2y8rcfZDqn2+Ml25iZLz+VFzLsos9jmdiImX5+2t0Ry7qak1wVFaAZH3Zkvv9ssGBT58s7wd/kQ== ec2-user@ip-172-30-11-45'

02 The command output should return the uploaded SSH key metadata:

{
    "SSHPublicKey": {
        "UserName": "Jack",
        "Status": "Active",
        "SSHPublicKeyBody": "ssh-rsa AAAAB ... ec2-user@ip-172-30-11-45",
        "UploadDate": "2016-08-23T18:36:13.242Z",
        "Fingerprint": "f0:d2:8f:4c:d5:4a:db:67:f4:64:4d:c6:b5:6c:a8:4a",
        "SSHPublicKeyId": "APKAJR372EROJTUMHSHQ"
    }
}

03 Update your AWS CodeCommit SSH connection configuration by replacing the existing SSH Key ID (e.g., APKAJYZYI7KYMA6S25CQ) with the key ID returned at the previous step as the value of the SSHPublicKeyId property (highlighted), then test the new public key by connecting to your private repositories. This test is performed to ensure that the new SSH key is working accordingly.

04 Once the new SSH public key is validated, run delete-ssh-public-key command (OSX/Linux/UNIX) to remove the outdated key by using its ID as identifier. The following example deletes an old SSH public key with the ID APKAJR372EROJTUMHSHQ, assigned to an IAM user named "Jack" (if successful, the command does not return an output):

aws iam delete-ssh-public-key
	--region us-east-1
	--user-name Jack
	--ssh-public-key-id APKAJR372EROJTUMHSHQ

05 Repeat steps no. 1 – 4 to replace any outdated SSH public keys assigned to other IAM users available in your AWS account.

References

Publication date Aug 24, 2016