Other Articles
- EC2 Volume – Enable EBS Encryption
- EC2 Volume – Enable EBS Volume Backup
- EFS – Enable EFS Storage Backup
- EC2 Instance – Enable Deletion Protection
- EC2 Instance – Monitor CPU Utilization
- ECS Service – Monitor CPU Utilization
- ECS Service – Monitor Memory Utilization
- EC2 VPC – Ensure Flow Logs are Enabled
- S3 Bucket – Block S3 Bucket Public Access
- S3 Bucket – Enable S3 Bucket Versioning
- S3 Bucket – Enable S3 Bucket Encryption
- RDS DB Instance – Enable Auto Minor Version Upgrade
- RDS DB Instance – Block Public Access
- RDS DB Instance – Monitor Free Storage Space
- RDS DB Instance – Monitor CPU Utilization
- RDS DB Instance – Encryption of Storage
- RDS DB Instance – Enable Deletion Protection
- SQS Queue – Monitor Message Age
- SQS Queue – Monitor Message Visibility
- DynamoDB Table – Enable Table Encryption
- DynamoDB Table – Enable Table Point In Time Recovery
- DynamoDB Table – Enable Table Deletion Protection
- DynamoDB Table – Monitor Table Read Capacity
- DynamoDB Table – Monitor Table Write Capacity
- DynamoDB Table – Monitor Table Latency
- Enable User MFA
- Enforce Active Key Limit
- Disable Unused User Credentials
- Enforce Group Permission
- Enable CloudTrail
- Enable AWS Security Hub
- Enforce Password Length
- Prohibit Password Reuse
- Purge Expired Certificates
- Check Root Access Keys Existence
- Enable Root MFA
- Establish Support Role
- Enable Key Rotation
- Encrypt CloudTrail Logs
- Enable GuardDuty
Enforce Key Rotation
This check ensures that IAM user access keys are rotated regularly. Rotating access keys every 90 days helps reduce the risk of compromised credentials and limits long-term exposure.
Check Details
- Resource: Users
- Check: Enforce key rotation
- Risk: Long-lived access keys increase the risk of unauthorized access
Remediation via AWS Console
-
Sign in to the AWS Management Console and open the
IAM console.
- Click Users and select the IAM user.
- Open the Security credentials tab.
- Under Access keys, identify keys older than 90 days using the Created and Last used fields.
-
Click Actions next to the access key and choose
Make inactive.
Note: Administrators should deactivate keys older than 90 days. IAM users should deactivate or delete keys that have not been rotated or used in 90 days.
- Click Create access key. Select Command Line Interface (CLI) as the use case and click Next.
-
Click Create access key.
- Update all applications and scripts to use the new access key credentials.
Remediation via AWS CLI
-
Log in to the AWS Management Console and click the
CloudShell icon (
>_) in the top-right corner.
-
Create a new access key for the IAM user:
aws iam create-access-key --user-name <iam_user> - Update applications to use the new access key.
-
Check if the old access key is still being used:
aws iam get-access-key-last-used --access-key-id <old_access_key_id> -
Wait for some time and recheck usage:
aws iam get-access-key-last-used --access-key-id <old_access_key_id>If LastUsedDate does not change, the key is no longer in use.
-
Disable or delete the old access key:
aws iam delete-access-key \ --user-name <iam_user> \ --access-key-id <iam_access_key_id>