AWS IAM Users should not have unused Access Keys.
AWS IAM users are intended for use by natural persons, but in the context of AWS services, they can issue long-term access credentials through IAM User Access Keys. Access Keys enable code and applications to assume a user’s identity without requiring full username/password authentication flow for each interaction.
In essence, these Access Keys function like a permanent username and password for machines that interact with AWS services. Each Access Key consists of two primary components: the Access Key ID, which uniquely identifies the Access Key and the Access Key Secret, which acts as a password to authenticate the key with AWS APIs. If the Access Key ID and corresponding Access Key Secret is compromised, it can lead to unauthorised access, as these two values are sufficient to both identify the IAM User and grant full permissions associated with that IAM User.
To enhance security, it’s advisable to limit each IAM User to one active Access Key at a time. This simplifies management and ensures a clear relationship between IAM Users and their Access Keys. Ideally, this process should be automated to facilitate the creation and maintenance of new Access Keys to ensure that Access Key rotation enforces the presence of only one active Access Key. Additionally, it is crucial to monitor the usage of Access Keys; any keys that are unused for an extended period should be deactivated and used as a measure of whether the overall IAM User is still active.
Keeping unnecessary Access Keys poses a security risk, as they may not be actively protected, making them potential targets for malicious parties. The recommended practice is to revoke any unused Access Keys, as they are not in active use and can expose the account to unnecessary risks.
Establishing an organizational policy regarding Access Key management is essential. Specifically, it’s important to determine the period after which an unused Access Key should be automatically deactivated. Users should be informed of this policy to ensure they understand that their Access Keys will be deactivated after a certain duration and that this action is not personally targeted.
The policy should include a robust set of tools and processes to aid users in issuing new Access Keys when they require access to their accounts again. A general guideline is to consider Access Keys inactive if they have not been used for 90 days or more. This timeframe typically indicates a user who may be on a sabbatical or simply not needing regular access. However, this guideline should be tailored to align with your organisation’s overall policies and the risk appetite of the business.
As part of our SkySiege Cloud Assessment we automatically detect all unused Access Keys across your IAM Users and summarise a full list in our automated reports. Our Organisations clients get a full suite of tools that assist with Access Key rotation alongside this process, ensuring that all technical staff are able to automatically rotate their Access Keys without interaction.
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.
