AWS IAM Users should have a single Access Key and not multiple Access Keys.
AWS IAM users should ideally map one-to-one to unique individuals. The primary purpose of IAM Users is to serve as identity entities for individuals accessing the AWS Management Console, SDKs and CLI. When IAM Users have multiple Access Keys, it simply adds more access points linked to the same person. This can create additional cognitive and monitoring burdens, as it requires you to track multiple keys associated with a single user.
Maintaining and tracking multiple Access Keys can be cumbersome, unlike managing a single Access Key. In our experience, we have not identified any long-term valid reasons for having multiple Access Keys, so we generally advise to track multiple Access Key usage and investigate where necessary.
Identify IAM Users with multiple Access Keys and investigate the rationale behind their usage of multiple keys. The two most common scenarios for multiple Access Keys attached to a single IAM User are a secondary forgotten Access Key which can and should be deleted and an Access Key intended for use by a service or system.
Should the latter be the case then it may be best to - at a minimum - create an IAM User specifically for that system to utilise. However it would be best to utilise a setup where the system can assume an AWS IAM Role to separate the system from users.
Access Keys are sensitive and are wholly sufficient to gain access to an account with the associated permissions of the corresponding IAM User. Therefore, it is crucial to keep the number of Access Keys to a minimum. SkySiege Cloud Assessments detect IAM Users with multiple Access Keys and enable you to immediately investigate and remediate any additional security exposures:
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.
