Other Articles
- EC2 Volume – Enable EBS Encryption
- EC2 Volume – Enable EBS Volume Backup
- EFS – Enable EFS Storage Backup
- EC2 Instance – Enable Deletion Protection
- EC2 Instance – Monitor CPU Utilization
- ECS Service – Monitor CPU Utilization
- ECS Service – Monitor Memory Utilization
- EC2 VPC – Ensure Flow Logs are Enabled
- S3 Bucket – Block S3 Bucket Public Access
- S3 Bucket – Enable S3 Bucket Versioning
- S3 Bucket – Enable S3 Bucket Encryption
- RDS DB Instance – Enable Auto Minor Version Upgrade
- RDS DB Instance – Block Public Access
- RDS DB Instance – Monitor Free Storage Space
- RDS DB Instance – Monitor CPU Utilization
- RDS DB Instance – Encryption of Storage
- RDS DB Instance – Enable Deletion Protection
- SQS Queue – Monitor Message Age
- SQS Queue – Monitor Message Visibility
- DynamoDB Table – Enable Table Encryption
- DynamoDB Table – Enable Table Point In Time Recovery
- DynamoDB Table – Enable Table Deletion Protection
- DynamoDB Table – Monitor Table Read Capacity
- DynamoDB Table – Monitor Table Write Capacity
- DynamoDB Table – Monitor Table Latency
- Enable User MFA
- Enforce Key Rotation
- Disable Unused User Credentials
- Enforce Group Permission
- Enable CloudTrail
- Enable AWS Security Hub
- Enforce Password Length
- Prohibit Password Reuse
- Purge Expired Certificates
- Check Root Access Keys Existence
- Enable Root MFA
- Establish Support Role
- Enable Key Rotation
- Encrypt CloudTrail Logs
- Enable GuardDuty
Enforce Active Key Limit
This check ensures that IAM users have only one active access key at a time. Limiting the number of active keys reduces the attack surface and minimizes the risk of compromised or unused credentials.
Check Details
- Resource: Users
- Check: Enforce active key limit
- Risk: Multiple active access keys increase the risk of unauthorized access
Remediation via AWS Console
-
Sign in to the AWS Management Console and open the
IAM console.
- Click Users and select the IAM user.
- Open the Security credentials tab.
- In the Access keys section, identify the access key that is less than 90 days old. This key should be the only active key used by the IAM user.
-
In the same Access keys section, locate any additional
access keys. Click Actions next to those keys and select
Make inactive.
- Repeat steps 2–5 for each IAM user in your AWS account.
Remediation via AWS CLI
-
Log in to the AWS Management Console and click the
CloudShell icon (
>_) in the top-right corner.
- Identify the access key that is less than 90 days old. This key should remain active.
-
Deactivate the old access key:
aws iam update-access-key \ --user-name <user-name> \ --access-key-id <old-access-key-id> \ --status Inactive -
Verify the access key status:
aws iam list-access-keys --user-name <user-name> - Repeat steps 2–4 for each IAM user in your AWS account.