For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-access-key-not-rotated-within-90-days.md. A documentation index is available at /llms.txt.

High access key rotation period

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-access-key-not-rotated-within-90-days

Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Secret Management

Learn More

Description

IAM access keys must be rotated regularly to reduce the risk from long-lived credentials and limit the exposure window if a key is compromised. Ensure an AWS::Config::ConfigRule resource exists with Source.SourceIdentifier set to ACCESS_KEYS_ROTATED and that its InputParameters contain a maxAccessKeyAge value less than or equal to 90 (days). Resources missing this ConfigRule, missing InputParameters, or with maxAccessKeyAge > 90 will be flagged; maxAccessKeyAge is evaluated numerically and is often provided as a string.

Secure configuration example (CloudFormation):

AccessKeyRotationRule:
  Type: AWS::Config::ConfigRule
  Properties:
    ConfigRuleName: enforce-access-key-rotation
    Source:
      Owner: AWS
      SourceIdentifier: ACCESS_KEYS_ROTATED
    InputParameters: '{"maxAccessKeyAge":"90"}'

Compliant Code Examples

Resources:
  ConfigRule:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: access-keys-rotated
      InputParameters:
        maxAccessKeyAge: 90
      Source:
        Owner: AWS
        SourceIdentifier: ACCESS_KEYS_ROTATED
      MaximumExecutionFrequency: TwentyFour_Hours

{
  "Resources": {
    "ConfigRule": {
      "Type": "AWS::Config::ConfigRule",
      "Properties": {
        "MaximumExecutionFrequency": "TwentyFour_Hours",
        "ConfigRuleName": "access-keys-rotated",
        "InputParameters": {
          "maxAccessKeyAge": 90
        },
        "Source": {
          "SourceIdentifier": "ACCESS_KEYS_ROTATED",
          "Owner": "AWS"
        }
      }
    }
  }
}

Non-Compliant Code Examples

Resources:
  ConfigRule:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: access-keys-rotated
      InputParameters:
        maxAccessKeyAge: 100
      Source:
        Owner: AWS
        SourceIdentifier: ACCESS_KEYS_ROTATED
      MaximumExecutionFrequency: TwentyFour_Hours

{
  "Resources": {
    "ConfigRule": {
      "Type": "AWS::Config::ConfigRule",
      "Properties": {
        "ConfigRuleName": "access-keys-rotated",
        "InputParameters": {
          "maxAccessKeyAge": 100
        },
        "Source": {
          "Owner": "AWS",
          "SourceIdentifier": "ACCESS_KEYS_ROTATED"
        },
        "MaximumExecutionFrequency": "TwentyFour_Hours"
      }
    }
  }
}