AWS Accounts have a limit on the number of Access Keys they can issue. This should be monitored and managed to prevent reaching the limit, which can block regular key rotation processes.
AWS IAM Users serve as proxy identities for individuals. To facilitate this, AWS allows the issuance of Access Keys, which are unique identifiers for each IAM User. These keys can be used via the AWS CLI or SDK to access AWS services using the IAM User’s identity.
Access Keys are best managed with a one-to-one ratio of Access Keys to users. However, it’s easy for the number of Access Keys to exceed this ratio when multiple IAM Users are issued multiple Access Keys. This situation can lead to reaching the limit on the number of Access Keys available in an AWS account.
To prevent issues, it’s important to monitor Access Key issuance. Not only will this help identify accounts that are issuing too many keys, but it will also help avoid reaching the key limit. Hitting this limit can hinder operations, such as onboarding new team members or, more alarmingly, rotating existing Access Keys.
For example, if an active Access Key is compromised, you may need to issue a new Access Key to transition legitimate systems before decommissioning the old key. If you’re at the limit, you may have no choice but to immediately delete the compromised key to free up space for a new one. This can result in system downtime and complicate the process of reissuing keys to users and services to restore functionality.
As a general practise, systems should utilise IAM roles instead of IAM User Access Keys. However, this may not be feasible for on-premises services or smaller services outside of the AWS ecosystem.
Regularly monitor the number of AWS Access Keys in your account. Aim to maintain a one-to-one relationship between Access Keys and IAM Users to facilitate better monitoring, maintenance and management over time.
As you approach the Access Key limit, consider requesting an increase in the number of allowed Access Keys for your account should this be justified. This should only be done after you’ve determined and ensured a one to one ratio for all users to Access Keys and you’re still approaching the Access Keys Limit.
SkySiege for Organisations has a novel detection and remediation process built in where it will automatically increase the quota for your Access Keys in accounts that are reaching the limit. This completely frees your organisation from worrying about this and allows your user management to proceed uninterrupted.
SkySiege Cloud Assessments will automatically detect AWS Accounts approaching this limit and will flag those accounts in the report generated and delivered the same day:
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.
