Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Unnecessary SSH Public Keys

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: IAM-025

Identify and deactivate any unnecessary IAM SSH public keys used to authenticate to AWS CodeCommit repositories. Amazon allows you to assign maximum two active SSH keys, however having two keys is recommended only during the key rotation process. As security best practice, Cloud Conformity strongly recommends deactivating the old public key once the new one is created so only one SSH key can remain active for the selected IAM user.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Removing unnecessary IAM SSH public keys will lower the risk of unauthorized access to your AWS CodeCommit repositories and adhere to AWS IAM security best practices.


Audit

To determine if your AWS IAM users keep unnecessary SSH public keys, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Click on the IAM user name that you want to examine.

05 On the IAM user configuration page, select Security Credentials tab.

06 Under SSH keys for AWS CodeCommit section, in the Status column, check the current status for each SSH key assigned to the selected IAM user. If the IAM user has more than one access keys activated:

If the IAM user has more than one access keys activated

the user access configuration do not adhere to AWS IAM security best practices and the risk of accidental exposures remains high.

07 Repeat steps no. 4 – 6 for each IAM user that you want to examine, available in your AWS account.

Using AWS CLI

01Run list-users command (OSX/Linux/UNIX) to list all IAM users available within your account:

aws iam list-users
	--query 'Users[*].UserName'

02 The command output should return an array that contains all IAM user names:

[
    "David",
    "Mark",
    ...
    "Joel"
]

03 Run list-ssh-public-keys command (OSX/Linux/UNIX) using the IAM user name that you want to examine as command parameter to expose the metadata of each SSH public key assigned to the selected IAM user:

aws iam list-ssh-public-keys
	--region us-east-1
	--user-name David

04 The command output should return the metadata of each available SSH key:

{
    "SSHPublicKeys": [
        {
            "UserName": "David",
            "Status": "Active",
            "SSHPublicKeyId": "APKAJYZYI7KYMA6S25CQ",
            "UploadDate": "2014-08-20T09:04:41Z"
        },
        {
            "UserName": "David",
            "Status": "Active",
            "SSHPublicKeyId": "APKAJX7IAROZU5N2OA6Q",
            "UploadDate": "2016-01-17T07:21:07Z"
        }
    ]
}

Verify the Status property value (highlighted) for each SSH key returned to determine the key current state. If the Status property value for both SSH keys is set to Active, the IAM user has more than one active SSH keys, therefore its access configuration do not adhere to AWS IAM security best practices and the risk of accidental exposures remains high.

05 Repeat steps no. 3 and 4 for each IAM user that you want to examine, available within your AWS account.

Remediation / Resolution

To deactivate any unnecessary IAM SSH public keys used for AWS CodeCommit repository access, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Click on the IAM user name that you want to examine.

05 On the IAM user configuration page, select Security Credentials tab.

06 In SSH keys for AWS CodeCommit section, choose the active SSH public key that will be used to access your AWS CodeCommit repositories, copy its SSH Key ID (e.g., APKAJX7IAROZU5N2OA6Q) then test the key by connecting to the necessary CodeCommit repositories. This test is performed to ensure that the chosen SSH key is currently working.

07 Now identify your non-operational SSH key (other than the chosen one) and deactivate it by clicking the Make Inactive link:

deactivate it by clicking the Make Inactive link

08 In the Change Key Status confirmation box, click Deactivate to turn off the selected key.

09 Repeat steps no. 4 – 8 for each IAM user with more than one SSH key, available in your AWS account.

Using AWS CLI

01 Test first the chosen IAM SSH key by connecting to your AWS CodeCommit repositories.

02 Run update-ssh-public-key command (OSX/Linux/UNIX) using the IAM user name and its non-operational SSH key ID as command parameters to deactivate the unnecessary key. See the Audit section part II (AWS CLI) to identify the unnecessary SSH key ID for the selected IAM user. The following example deactivates an SSH public key with the ID APKAJYZYI7KYMA6S25CQ assigned to an IAM user with the name David (the command does not return an output):

aws iam update-ssh-public-key
	--region us-east-1
	--user-name David
	--ssh-public-key-id APKAJYZYI7KYMA6S25CQ
	--status Inactive

03 Run again list-ssh-public-keys command (OSX/Linux/UNIX) to make sure that the selected IAM SSH public key has been successfully deactivated:

aws iam list-ssh-public-keys
	--region us-east-1
	--user-name David

04The command output should return the metadata of each SSH key attached to the selected IAM user. If the selected key has been successfully decommissioned, its current status should be “Inactive”, as shown in the example below:

{
    "SSHPublicKeys": [
        {
            "UserName": "David",
            "Status": "Inactive",
            "SSHPublicKeyId": "APKAJYZYI7KYMA6S25CQ",
            "UploadDate": "2014-08-20T09:04:41Z"
        },
        {
            "UserName": "David",
            "Status": "Active",
            "SSHPublicKeyId": "APKAJX7IAROZU5N2OA6Q",
            "UploadDate": "2016-01-17T07:21:07Z"
        }
    ]
}

05 Repeat steps no. 1 – 4 for each IAM user with more than one SSH public key, available in your AWS account.

References

Publication date Aug 24, 2016