A-IAM-14

IAM User Approaching User Access Key Limit

  1. SkySiege Cloud Security Assessments
  2. Assessment Documentation
  3. IAM User Approaching User Access Key Limit
Risk:
Low

AWS IAM Users have a per user limit for Access Keys, hitting this limit interferes with the ability to cycle Access Keys and contributes to the overall acount Access Key Limit

Details

AWS IAM Users are designed for use by natural persons, providing them with console access via usernames & passwords and Access Keys for use with the AWS CLI (Command Line Interface) and SDKs (Software Development Kits). Access Keys consist of an Access Key ID and an Access Key Secret. Together, these two components offer sufficient identification for using the AWS CLI and SDKs.

As the Key ID and Key Secret is all that’s required to authorise access to AWS APIs as that user, it is critical to ensure that the least number of Access Keys are present and that they are securely managed. If both the Access Key ID and Secret are compromised, the IAM User is compromised and potentially the AWS Account depending on the permissions assigned to the IAM User. Ideally, IAM Users should have only one Access Key issued and active to simplify management and monitoring of Access Key usage. Multiple Access Keys for a single user create additional tracking and monitoring obligations and contribute unnecessarily to the overall number of Access Keys operational in an AWS account.

Additionally, AWS accounts have a maximum number of Access Keys as well as a limit on the number of Access Keys available per user. IAM Users should minimise their issued keys to avoid reaching these limits. If the limit is hit, new Access Keys cannot be issued, interfering with most Access Key rotation processes. Therefore, it’s important to leave room within your Access Key quota for both the IAM User quota and AWS Account-wide quota to ensure effective management and monitoring of Access Keys.

Remediation

To address this issue, begin by identifying IAM Users with multiple Access Keys and consolidate their Access Key usage, ideally to a single Access Key. Monitor the Access Keys assigned to each user to determine if your AWS Account is nearing the quota limit. Taking action to consolidate keys ahead of time can prevent any constraints from the Access Key limits.

The total number of Access Keys per IAM User is fixed at two Access Keys hence there is no way to adjust these quotas, hence management is the only option.

Discover if you're vulnerable

SkySiege Cloud Security Assessments scan for this issue and provide same-day reports.
Available for individual projects or organisations.

For Projects
For Organisations

Related Tests

Account Root User Has Access Keys Issued

SkySiege Documentation for Cloud Assessment test A-IAM-18, Account Root User Has Access Keys Issued

Critical iam aws

AWS Root User Does Not Have MFA

SkySiege Documentation for Cloud Assessment test A-IAM-16, AWS Root User Does Not Have MFA

Critical iam aws

Account Root User Has Signing Certificates

SkySiege Documentation for Cloud Assessment test A-IAM-19, Account Root User Has Signing Certificates

High iam aws

IAM User Without MFA

SkySiege Documentation for Cloud Assessment test A-IAM-17, IAM User Without MFA

High iam aws

IAM Users Password Policy Forces a Hard Password Expiry

SkySiege Documentation for Cloud Assessment test A-IAM-8, IAM Users Password Policy Forces a Hard Password Expiry

High iam aws

IAM Users Password Policy Remembers Less Than 3 Previous Passwords

SkySiege Documentation for Cloud Assessment test A-IAM-7, IAM Users Password Policy Remembers Less Than 3 Previous Passwords

High iam aws

IAM Users Password Policy Requires at Least 8 Characters

SkySiege Documentation for Cloud Assessment test A-IAM-1, IAM Users Password Policy Requires at Least 8 Characters

High iam aws

IAM User Access Keys Unused

SkySiege Documentation for Cloud Assessment test A-IAM-10, IAM User Access Keys Unused

Moderate iam aws

IAM User Has Inactive Access Keys

SkySiege Documentation for Cloud Assessment test A-IAM-11, IAM User Has Inactive Access Keys

Moderate iam aws

IAM Users Password Policy Allows 8-15 Characters with Limited Characters

SkySiege Documentation for Cloud Assessment test A-IAM-2, IAM Users Password Policy Allows 8-15 Characters with Limited Characters

Moderate iam aws

IAM Users Password Policy Does Not Allow Users to Change Passwords

SkySiege Documentation for Cloud Assessment test A-IAM-6, IAM Users Password Policy Does Not Allow Users to Change Passwords

Moderate iam aws

IAM Users Password Policy Expires Passwords

SkySiege Documentation for Cloud Assessment test A-IAM-4, IAM Users Password Policy Expires Passwords

Moderate iam aws

IAM Users Password Policy Not Set

SkySiege Documentation for Cloud Assessment test A-IAM-5, IAM Users Password Policy Not Set

Moderate iam aws

AWS Account Approaching Access Key Limit

SkySiege Documentation for Cloud Assessment test A-IAM-15, AWS Account Approaching Access Key Limit

Low iam aws

IAM User has Multiple Access Keys

SkySiege Documentation for Cloud Assessment test A-IAM-13, IAM User has Multiple Access Keys

Low iam aws

IAM User Inactive

SkySiege Documentation for Cloud Assessment test A-IAM-9, IAM User Inactive

Low iam aws

IAM Users Password Policy Requires Special Characters

SkySiege Documentation for Cloud Assessment test A-IAM-3, IAM Users Password Policy Requires Special Characters

Advisory iam aws