IAM access key is exposed

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: ansible-aws-iam-access-key-is-exposed

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Access Control

Learn More

Description

Active, long‑lived access keys for non‑root IAM users increase the risk of credential compromise and unauthorized API access because leaked keys can be used to impersonate users and perform privileged actions. This rule inspects Ansible tasks that use the amazon.aws.iam_access_key or iam_access_key modules and flags tasks where the active property is true (or absent, since true is the default) and the state is not absent, while the user_name property does not contain root.

Resources with active access keys for non‑root users are flagged. Remediate by removing or deactivating unused keys, rotating keys frequently, or replacing long‑lived keys with IAM roles and temporary credentials. The check is case‑insensitive and treats any username containing the substring root as the root account exception.

Compliant Code Examples

# Root user with active key (covered by root_account_has_active_access_keys)
- name: Create root access key
  amazon.aws.iam_access_key:
    user_name: root
    state: present

# Non-root user with inactive key
- name: Create inactive access key
  amazon.aws.iam_access_key:
    user_name: jcleese
    active: false

# Non-root user with absent state
- name: Remove access key
  amazon.aws.iam_access_key:
    user_name: jdavila
    state: absent

Non-Compliant Code Examples

- name: Create non-root user with active access key
  amazon.aws.iam_access_key:
    user_name: jcleese
    state: present
- name: Create another non-root user with active access key
  amazon.aws.iam_access_key:
    user_name: mpython
    state: present