Home Rotate your AWS IAM user access keys regularly

Rotate your AWS IAM user access keys regularly

-

Cloud security has now become the topmost priority of users nowadays owing to the increasing number of security attacks. Users want to make sure that their cloud resources are securely deployed. AWS IAM user access key rotation policy ensures secure programmatic access to your AWS account.

What is an access key?

AWS Access keys are long-term credentials which are used by an Identity and Access Management (IAM) user or the AWS account root user. Access keys are used to sign programmatic requests to the AWS CLI or AWS API or AWS SDK. Access keys primarily consist of two parts: an access key ID and a secret access key. Just like a username and password, both the access key ID and secret access key are used together to authenticate your programmatic request to AWS.

Why IAM user access key rotation is necessary for cloud security?

Anyone who has the access key has unrestricted access to all the resources in the root user’s account, including billing information. You cannot restrict the permissions for your AWS account root user and similarly, you cannot restrict the permissions for any user who has the access key.

It is recommended not to use root user account or not have the access key for the root user account. In case there is a compulsion to use root account and to have an access key then it is recommended to rotate access keys time to time to ensure proper security of your AWS resources.

How can Centilytics assist you?

Centilytics provides a dedicated insight regarding rotation of access keys and shows the number of days since the access key was last rotated. Hence, the users can be aware of all AWS IAM user access key(s) which have not been rotated in recent times.

Insight Description:

There can be 3 possible scenarios:

Severity Description
OK This indication will appear when your access key is active and is rotated in the last 90 days of time.
WARNING This indication will appear when your access key is active and is rotated in more than 90 days but less than 2 years of time.
CRITICAL This indication will appear when your access key is not rotated for more than 2 years of time.

 

Description of further columns are as follows:

  1. Account Id: This column shows the respective account ID of the user’s account.AWS IAM Access Key Rotation-ss1
  2. Account Name: This column shows the corresponding account name to the user’s account.AWS IAM Access Key Rotation-ss2

 

  1. IAM User: This column shows the IAM user name corresponding to the user’s account.AWS IAM Access Key Rotation-ss3

 

  1. Access Key: This column shows the access key name of the user’s account.AWS IAM Access Key Rotation-ss4

 

  1. Key last rotated: This column shows the date and time of the creation of access keys.AWS IAM Access Key Rotation-ss6

 

  1. Days count: This column shows the number of days since the corresponding access key was rotated.AWS IAM Access Key Rotation-ss66

Compliances covered:

Compliance Name Reference No. Link
PCI 8.4.2,8.1.3,8.1.4 https://docs.aws.amazon.com/quickstart/latest/
compliance-pci/welcome.html
HIPAA 164.312(e)(1),

164.312(d)

https://aws.amazon.com/quickstart/architecture/
compliance-hipaa/
ISO 27001 A.6.2.2, A.9.1.2, A.9.4.2, A.10.1.2

 

https://www.iso.org/standard/54534.html
GDPR Article 32 https://gdpr-info.eu/
Trusted Advisor https://console.aws.amazon.com/trustedadvisor/home?#/category/security
CIS 1.1.0 https://d0.awsstatic.com/whitepapers/compliance/AWS_
CIS_Foundations_Benchmark.pdf

 

 Filters applicable:

Filter Name Description
Account Id Applying the account Id filter will display data for the selected account Id.
Compliance Applying the compliance filter will display only those security checks which fall under the selected compliance.
Severity Applying severity filter will display data according to the selected severity type i.e. selecting critical will display all resources with critical severity. Same will be the case for warning and ok severity types
Resource Tags Applying resource tags filter will display those resources which have been assigned the selected resource tag. For e.g., A user has tagged some public snapshots by a resource tag named environment. Then selecting an environment from the resource tags filter will display all those resources tagged by the tag name environment.
Resource Tags Value Applying resource tags value filter will display data which will have the selected resource tag value. For e.g. – Let’s say a user has tagged some resource by a tag named environment and has a value say production (environment: production). Hence, the user can view data of all the resources which have “environment:production” tag assigned. The user can use the tag value filter only when a tag name has been provided.

 

Read More:

[1]https://docs.aws.amazon.com/rekognition/latest/dg/setting-up.html

[2] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html

[3] https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html

Cloud

Cloud Management