Remediate AWS CIS v3.0 and v4.0 with Flowpipe's interactive wizard →
Flowpipe Hub 
Hub
standard
turbot/aws_cis
Overview
139
Pipelines
0
Triggers
5
VariablesGitHub

Pipeline: 1.13 Ensure there is only one active access key available for any single IAM user

Description

Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).

Access keys are long-term credentials for an IAM user or the AWS account 'root' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API. One of the best ways to protect your account is to not allow users to have multiple access keys.

Remediation

From Console:

  1. Sign in to the AWS Management Console and navigate to IAM dashboard at https://console.aws.amazon.com/iam/.
  2. In the left navigation panel, choose Users.
  3. Click on the IAM user name that you want to examine.
  4. On the IAM user configuration page, select Security Credentials tab.
  5. In Access Keys section, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.
  6. In the same Access Keys section, identify your non-operational access keys (other than the chosen one) and deactivate it by clicking the Make Inactive link.
  7. If you receive the Change Key Status confirmation box, click Deactivate to switch off the selected key.
  8. Repeat steps no. 3 – 7 for each IAM user in your AWS account.

From Command Line:

  1. Using the IAM user and access key information provided in the Audit CLI, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.
  2. Run the update-access-key command below using the IAM user name and the non-operational access key IDs to deactivate the unnecessary key(s). Refer to the Audit section to identify the unnecessary access key ID for the selected IAM user.

Note - the command does not return any output:

aws iam update-access-key --access-key-id <access-key-id> --status Inactive --user-name <user-name>
  1. To confirm that the selected access key pair has been successfully deactivated run the list-access-keys audit command again for that IAM User:
aws iam list-access-keys --user-name <user-name>
  • The command output should expose the metadata for each access key associated with the IAM user. If the non-operational key pair(s) Status is set to Inactive, the key has been successfully deactivated and the IAM user access configuration adheres now to this recommendation.
  1. Repeat steps no. 1 – 3 for each IAM user in your AWS account.

Run the pipeline

To run this pipeline from your terminal:

flowpipe pipeline run aws_cis.pipeline.cis_v300_1_13

Use this pipeline

To call this pipeline from your pipeline, use a step:

step "pipeline" "step_name" {
  pipeline = aws_cis.pipeline.cis_v300_1_13  
}

Params

NameTypeRequiredDescriptionDefault
database
connection.steampipe
YesDatabase connection string.connection.steampipe.default
notifier
notifier
YesThe name of the notifier to use for sending notification messages.notifier.default
notification_level
string
YesThe verbosity level of notification messages to send. Valid options are 'verbose', 'info', 'error'.info
approvers
list(notifier)
YesList of notifiers to be used for obtaining action/approval decisions.notifier.default

Outputs

This pipeline has no outputs.

Tags

folder = CIS v3.0.0/1 Identity and Access Management