IAM access keys that are inactive and older than 1 year should be removed

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

This rule identifies IAM access keys that are older than one year and have not been used in the past 30 days.

Rationale

This is a good indicator that an access key or IAM user that is not used anymore, and raises a security risk. IAM access keys are static secrets that do not change. This leak represents a common cause for cloud security breaches.

Remediation

  • Verify that the IAM user is still actively used or if it can be removed.
  • Verify that the IAM access key is still actively used or if it can be removed.
  • If the IAM user is still needed, rotate the access key. For more information, see the AWS documentation.

From the console

Follow the Rotating IAM user access keys (console) AWS documentation to rotate access keys.

From the command line

Follow the Rotating IAM user access keys (AWS CLI) AWS documentation to rotate access keys.