Access Keys are used for accessing AWS environment via APIs. IAM access keys rotation periodically goes a long way in reducing the attack surface. It addresses the problem of key leakage over time.
Following compliance controls may be fulfilled with rotating access keys –
- ISO 27001 – A.9.2.4 – Management of secret authentication information of users
- HIPAA 164.308(a)(5)(ii)(D) – Procedures for creating, changing, and safeguarding passwords.
Old keys or absence of key rotation may result in compromised account or even takeover. It is strongly recommended to audit AWS account periodically and ensure proper configuration.
How to Audit AWS Account for IAM Access Key Rotation
- Login to AWS console, in IAM service select “Users”
- Click on the username you want to audit (#2 in screen below)
IAM Access Key Rotation
- In the next panel, open “Security Credentials” tab
- Examine the column “Last Used” and ensure that last used date is within last 30 days
- This procedure needs to be repeated for all the users present in AWS account
Remediation
To remediate Deactivate the old access key and create a new one.
To keep AWS environment secure & in compliance with regulation above steps need to be repeated as often there is a change in AWS infrastructure.