Other Articles
- IAM - Enable User MFA
- IAM - Enforce Active Key Limit
- IAM - Disable Unused User Credentials
- IAM - Enforce Group Permission
- IAM - Enforce Password Length
- IAM - Prohibit Password Reuse
- IAM - Check Root Access Keys Existence
- IAM - Enable Root MFA
- IAM - Establish Support Role
- IAM - Enable Key Rotation
- Purge Expired Certificates
- EC2 Volume – Enable EBS Volume Backup
- EC2 Volume – Enable EBS Encryption
- EFS – Enable EFS Storage Backup
- S3 Bucket – Enable S3 Bucket Versioning
- S3 Bucket – Enable S3 Bucket Encryption
- S3 Bucket – Block S3 Bucket Public Access
- RDS DB Instance – Encryption of Storage
- RDS DB Instance – Enable Deletion Protection
- RDS DB Instance – Enable Auto Minor Version Upgrade
- DynamoDB Table – Enable Table Encryption
- DynamoDB Table – Enable Table Point In Time Recovery
- DynamoDB Table – Enable Table Deletion Protection
- EC2 Instance – Monitor CPU Utilization
- ECS Service – Monitor CPU Utilization
- ECS Service – Monitor Memory Utilization
- RDS DB Instance – Monitor Free Storage Space
- RDS DB Instance – Monitor CPU Utilization
- SQS Queue – Monitor Message Age
- SQS Queue – Monitor Message Visibility
- DynamoDB Table – Monitor Table Read Capacity
- DynamoDB Table – Monitor Table Write Capacity
- DynamoDB Table – Monitor Table Latency
- Enable CloudTrail
- Encrypt CloudTrail Logs
- EC2 VPC – Ensure Flow Logs are Enabled
- RDS DB Instance – Block Public Access
- EC2 Instance – Enable Deletion Protection
- ECS Service – Enable Auto Scaling
- Enable AWS Security Hub
- Enable GuardDuty
IAM - Enforce Key Rotation
Secure Configuration Checks > AWS
This check ensures that IAM user access keys are rotated regularly. Rotating access keys every 90 days helps reduce the risk of compromised credentials and limits long-term exposure.
Check Details
- Resource: Users
- Check: Enforce key rotation
- Risk: Long-lived access keys increase the risk of unauthorized access
Remediation via AWS Console
-
Sign in to the AWS Management Console and open the IAM console.
- Click Users and select the IAM user.
- Open the Security credentials tab.
- Under Access keys, identify keys older than 90 days using the Created and Last used fields.
-
Click Actions next to the access key and choose Make inactive.
Note: Administrators should deactivate keys older than 90 days. IAM users should deactivate or delete keys that have not been rotated or used in 90 days.
- Click Create access key. Select Command Line Interface (CLI) as the use case and click Next.
-
Click Create access key.
- Update all applications and scripts to use the new access key credentials.
Remediation via AWS CLI
-
Log in to the AWS Management Console and click the CloudShell icon (
>_) in the top-right corner.
-
Create a new access key for the IAM user:
aws iam create-access-key --user-name <iam_user>
- Update applications to use the new access key.
-
Check if the old access key is still being used:
aws iam get-access-key-last-used --access-key-id <old_access_key_id>
-
Wait for some time and recheck usage:
aws iam get-access-key-last-used --access-key-id <old_access_key_id>
If LastUsedDate does not change, the key is no longer in use.
-
Disable or delete the old access key:
aws iam delete-access-key \ --user-name <iam_user> \ --access-key-id <iam_access_key_id>
Updated on 06 March, 2026