Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Unnecessary Access Keys

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: IAM-004

Identify and deactivate any unnecessary IAM access keys in order to follow IAM security best practices. Amazon IAM allows you to assign a maximum of two active access keys but this is recommended only during the key rotation process. Trend Cloud One™ – Conformity strongly recommends deactivating the old key once the new one is created so only one access key remains active for the IAM user.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Removing unnecessary Amazon IAM access keys will lower the risk of unauthorized access to your AWS cloud resources and other components, and adhere to IAM security best practices.

Audit

To determine if your IAM users have unnecessary active access keys, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Users.

04 Click on the name (link) of the IAM user that you want to examine.

05 Select the Security credentials tab to access the configuration information available for the IAM user credentials.

06 In the Access keys section, check the status for each access key associated with the selected IAM user, available in the Status column. If the selected Amazon IAM user has more than one active access key, the IAM user access configuration does not follow the AWS cloud security best practices and the risk of accidental exposure is high.

07 Repeat steps no. 4 – 6 for each Amazon IAM user available in your AWS cloud account.

Using AWS CLI

01 Run list-users command (OSX/Linux/UNIX) using custom query filters to list the names of all the IAM users available within your AWS account: 

aws iam list-users
  --output table
  --query 'Users[*].UserName'

02 The command output should return a table with the requested IAM user identifiers: 

------------------------
|      ListUsers       |
+----------------------+
|  cc-project5-admin   |
|  cc-s3-data-manager  |
+----------------------+

03 Run list-access-keys command (OSX/Linux/UNIX) using the name of the Amazon IAM user that you want to examine as the identifier parameter and custom filtering to describe each access key created for the selected IAM user: 

aws iam list-access-keys
  --user-name cc-project5-admin
  --query 'AccessKeyMetadata[*]'

04 The command output should return the metadata available for each requested access key: 

[
	{
		"UserName": "cc-project5-admin",
		"AccessKeyId": "ABCDABCDABCDABCDABCD",
		"Status": "Active",
		"CreateDate": "2021-01-16T08:13:13+00:00"
	},
	{
		"UserName": "cc-project5-admin",
		"AccessKeyId": "AAAABBBBCCCCDDDDAAAA",
		"Status": "Active",
		"CreateDate": "2021-03-10T08:13:34+00:00"
	}
]

Check the "Status" attribute value for each IAM access key returned by the list-access-keys command output to determine the state of each access key associated with the IAM user. If the selected Amazon IAM user has more than one active access key, as shown in the example above, the IAM user access configuration does not follow the AWS cloud security best practices and the risk of accidental exposure is high.

05 Repeat steps no. 3 and 4 for each Amazon IAM user available within your AWS cloud account.

Remediation / Resolution

To deactivate any unnecessary Amazon IAM access keys, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Unnecessary Access Key",
	"Resources": {
		"IAMserAccessKey": {
			"Type": "AWS::IAM::AccessKey",
			"Properties": {
				"UserName": "cc-project5-iam-user",
				"Status": "Inactive"
			}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
	Description: Unnecessary Access Key
	Resources:
	IAMserAccessKey:
		Type: AWS::IAM::AccessKey
		Properties:
		UserName: cc-project5-iam-user
		Status: Inactive

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}
	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

# Unnecessary Access Keys
resource "aws_iam_access_key" "iam-user-access-key" {
	user   = "cc-project5-iam-user"
	status = "Inactive"
}

output "aws_iam_smtp_password_v4" {
	value = aws_iam_access_key.iam-user-access-key.ses_smtp_password_v4
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Users.

04 Click on the name (link) of the IAM user that you want to reconfigure.

05 Select the Security credentials tab to access the configuration information available for the IAM user credentials.

06 In the Access keys section, perform the following actions:

  1. Choose the IAM access key that will be used to provide access to your AWS cloud resources, and update your application(s) code to use only the chosen key pair. Test your application(s) to make sure that the chosen IAM access key is working.
  2. Identify the non-operational IAM access key (other than the one chosen at the previous step) and deactivate the key pair by choosing Make inactive.
  3. In the Deactivate <access-key-id>? confirmation box, choose Deactivate to decommission the selected key.

07 Repeat steps no. 4 – 6 for each IAM user that you want to reconfigure, available in your AWS cloud account.

Using AWS CLI

01 Run list-access-keys command (OSX/Linux/UNIX) using the name of the Amazon IAM user that you want to reconfigure as the identifier parameter, to describe each access key created for the selected IAM user: 

aws iam list-access-keys
  --user-name cc-project5-admin
  --query 'AccessKeyMetadata[*]'

02 The command output should return the metadata available for each requested access key: 

[
	{
		"UserName": "cc-project5-admin",
		"AccessKeyId": "ABCDABCDABCDABCDABCD",
		"Status": "Active",
		"CreateDate": "2021-01-16T08:13:13+00:00"
	},
	{
		"UserName": "cc-project5-admin",
		"AccessKeyId": "AAAABBBBCCCCDDDDAAAA",
		"Status": "Active",
		"CreateDate": "2021-03-10T08:13:34+00:00"
	}
]

03 Choose the IAM access key that will be used to provide access to your AWS cloud resources, and update your application(s) code to use only the chosen key pair. Test your application(s) to make sure that the chosen IAM access key is working.

04 Run update-access-key command (OSX/Linux/UNIX) to deactivate the unnecessary, non-operational IAM access key (if the request is successful, the update-access-key command request does not produce an output): 

aws iam update-access-key
  --access-key-id ABCDABCDABCDABCDABCD
  --status Inactive
  --user-name cc-project5-admin

05 Repeat steps no. 1 – 4 for each IAM user that you want to reconfigure, available within your AWS cloud account.

References

Publication date May 18, 2016

Related IAM rules