IAM user has too many access keys

문서 > Datadog 보안 > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > IAM user has too many access keys

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 48677914-6fdf-40ec-80c4-2b0e94079f54

Cloud Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Insecure Configurations

Learn More

Provider Reference

Description

IAM users should have at most one access key because multiple keys increase the risk of credential exposure and make secure rotation and revocation more difficult. In AWS CloudFormation, each AWS::IAM::AccessKey resource’s Properties.UserName should be unique per IAM user so a user is not associated with more than one access key. This rule flags templates where more than one AWS::IAM::AccessKey resource references the same UserName. Remove extra keys, consolidate usage, or rotate and delete unused keys to remediate.

Secure example with a single access key for a user:

MyUserAccessKey:
  Type: AWS::IAM::AccessKey
  Properties:
    UserName: MyIamUser

Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
    myuser:
      Type: AWS::IAM::User
      Properties:
        Path: "/"
        LoginProfile:
          Password: myP@ssW0rd
    firstKey:
      Type: AWS::IAM::AccessKey
      Properties:
        UserName:
          Ref: myuser

{
  "Resources": {
    "myuser": {
      "Type": "AWS::IAM::User",
      "Properties": {
        "Path": "/",
        "LoginProfile": {
          "Password": "myP@ssW0rd"
        }
      }
    },
    "firstKey": {
      "Type": "AWS::IAM::AccessKey",
      "Properties": {
        "UserName": {
          "Ref": "myuser"
        }
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "A sample template"
}

Non-Compliant Code Examples

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "A sample template",
  "Resources": {
    "secondKey": {
      "Type": "AWS::IAM::AccessKey",
      "Properties": {
        "UserName": "myuser"
      }
    },
    "myuser": {
      "Type": "AWS::IAM::User",
      "Properties": {
        "LoginProfile": {
          "Password": "myP@ssW0rd"
        },
        "Path": "/"
      }
    },
    "firstKey": {
      "Type": "AWS::IAM::AccessKey",
      "Properties": {
        "UserName": "myuser"
      }
    }
  }
}

AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
    myuser:
      Type: AWS::IAM::User
      Properties:
        Path: "/"
        LoginProfile:
          Password: myP@ssW0rd
    firstKey:
      Type: AWS::IAM::AccessKey
      Properties:
        UserName: !Ref myuser
    secondKey:
      Type: AWS::IAM::AccessKey
      Properties:
        UserName: !Ref myuser