A-IAM-11

IAM User Has Inactive Access Keys

  1. SkySiege Cloud Security Assessments
  2. Assessment Documentation
  3. IAM User Has Inactive Access Keys
Risk:
Moderate

AWS IAM Users should not have long-term inactive Access Keys

Details

AWS IAM users are intended for use by individuals, allowing them to issue Access Keys that can be used by programmatic tools such as the AWS CLI and software development kits. These Access Keys serve as an alternative to a username and password, providing a way for technical systems to assume a user’s identity without requiring a full authentication flow. As such, Access Keys can provide full access to an account based on the user’s specific set of permissions.

There are two states of Access Keys: active and inactive. Active Access Keys can communicate with AWS APIs, while inactive keys exist but cannot perform any actions when attempting to contact AWS APIs. Inactive Access Keys will be recognised by the API but will not have their requests processed.

Having inactive Access Keys for an extended period poses a security risk. While these keys are not currently functional, they can be reactivated at any time, restoring their full permissions. This creates a false sense of security, as they are just a configuration change away from being fully operational again.

The activation of Access Keys typically indicates a transitional process, often for replacing or testing keys. Neither of these scenarios necessitates keeping Access Keys in a long-term inactive state. Therefore, any deactivated key should be expected to be reactivated shortly or permanently deleted.

Remediation

Since inactive keys are not functional, it is usually not a significant organisational threat to delete them. It may be worth investigating Access Keys that have been inactive for a long time period. However, as a general rule, since deactivated keys are not in use, they can be safely decommissioned by deleting them rather than merely leaving them in a deactivated state.

SkySiege Cloud Assessment will automatically find all inactive Access Keys in your AWS Accounts and for Organisations provides the automated clean up solutions to remove these keys as part of our long term support. Get a Cloud Assessment booked in now to determine how many inactive keys you have across your organisation:

Discover if you're vulnerable

SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.

For Projects
For Organisations

Related Tests

Account Root User Has Access Keys Issued

SkySiege Documentation for Cloud Assessment test A-IAM-18, Account Root User Has Access Keys Issued

Critical iam aws

AWS Root User Does Not Have MFA

SkySiege Documentation for Cloud Assessment test A-IAM-16, AWS Root User Does Not Have MFA

Critical iam aws

Account Root User Has Signing Certificates

SkySiege Documentation for Cloud Assessment test A-IAM-19, Account Root User Has Signing Certificates

High iam aws

IAM User Without MFA

SkySiege Documentation for Cloud Assessment test A-IAM-17, IAM User Without MFA

High iam aws

IAM Users Password Policy Forces a Hard Password Expiry

SkySiege Documentation for Cloud Assessment test A-IAM-8, IAM Users Password Policy Forces a Hard Password Expiry

High iam aws

IAM Users Password Policy Remembers Less Than 3 Previous Passwords

SkySiege Documentation for Cloud Assessment test A-IAM-7, IAM Users Password Policy Remembers Less Than 3 Previous Passwords

High iam aws

IAM Users Password Policy Requires at Least 8 Characters

SkySiege Documentation for Cloud Assessment test A-IAM-1, IAM Users Password Policy Requires at Least 8 Characters

High iam aws

IAM User Access Keys Unused

SkySiege Documentation for Cloud Assessment test A-IAM-10, IAM User Access Keys Unused

Moderate iam aws

IAM Users Password Policy Allows 8-15 Characters with Limited Characters

SkySiege Documentation for Cloud Assessment test A-IAM-2, IAM Users Password Policy Allows 8-15 Characters with Limited Characters

Moderate iam aws

IAM Users Password Policy Does Not Allow Users to Change Passwords

SkySiege Documentation for Cloud Assessment test A-IAM-6, IAM Users Password Policy Does Not Allow Users to Change Passwords

Moderate iam aws

IAM Users Password Policy Expires Passwords

SkySiege Documentation for Cloud Assessment test A-IAM-4, IAM Users Password Policy Expires Passwords

Moderate iam aws

IAM Users Password Policy Not Set

SkySiege Documentation for Cloud Assessment test A-IAM-5, IAM Users Password Policy Not Set

Moderate iam aws

AWS Account Approaching Access Key Limit

SkySiege Documentation for Cloud Assessment test A-IAM-15, AWS Account Approaching Access Key Limit

Low iam aws

IAM User has Multiple Access Keys

SkySiege Documentation for Cloud Assessment test A-IAM-13, IAM User has Multiple Access Keys

Low iam aws

IAM User Inactive

SkySiege Documentation for Cloud Assessment test A-IAM-9, IAM User Inactive

Low iam aws

IAM Users Password Policy Requires Special Characters

SkySiege Documentation for Cloud Assessment test A-IAM-3, IAM Users Password Policy Requires Special Characters

Advisory iam aws