Identify and deactivate any unnecessary IAM access keys in order to follow IAM security best practices. Amazon IAM allows you to assign a maximum of two active access keys but this is recommended only during the key rotation process. Trend Micro Cloud One™ – Conformity strongly recommends deactivating the old key once the new one is created so only one access key remains active for the IAM user.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Removing unnecessary Amazon IAM access keys will lower the risk of unauthorized access to your AWS cloud resources and other components, and adhere to IAM security best practices.
Audit
To determine if your IAM users have unnecessary active access keys, perform the following operations:
Remediation / Resolution
To deactivate any unnecessary Amazon IAM access keys, perform the following operations:
References
- AWS Documentation
- AWS Identity and Access Management FAQs
- Best Practices for Managing AWS Access Keys
- Managing Access Keys for IAM Users
- AWS Command Line Interface (CLI) Documentation
- iam
- list-users
- list-access-keys
- update-access-key
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Unnecessary Access Keys
Risk Level: Medium