IAM user has too many access keys

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > IAM user has too many access keys

Metadata

Id: 48677914-6fdf-40ec-80c4-2b0e94079f54

Cloud Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Insecure Configurations

Learn More

Provider Reference

Description

IAM users should have at most one access key because multiple keys increase the risk of credential exposure and make secure rotation and revocation more difficult. In AWS CloudFormation, each AWS::IAM::AccessKey resource’s Properties.UserName should be unique per IAM user so a user is not associated with more than one access key. This rule flags templates where more than one AWS::IAM::AccessKey resource references the same UserName. Remove extra keys, consolidate usage, or rotate and delete unused keys to remediate.

Secure example with a single access key for a user:

MyUserAccessKey:
  Type: AWS::IAM::AccessKey
  Properties:
    UserName: MyIamUser

Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
    myuser:
      Type: AWS::IAM::User
      Properties:
        Path: "/"
        LoginProfile:
          Password: myP@ssW0rd
    firstKey:
      Type: AWS::IAM::AccessKey
      Properties:
        UserName:
          Ref: myuser

{
  "Resources": {
    "myuser": {
      "Type": "AWS::IAM::User",
      "Properties": {
        "Path": "/",
        "LoginProfile": {
          "Password": "myP@ssW0rd"
        }
      }
    },
    "firstKey": {
      "Type": "AWS::IAM::AccessKey",
      "Properties": {
        "UserName": {
          "Ref": "myuser"
        }
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "A sample template"
}

Non-Compliant Code Examples

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "A sample template",
  "Resources": {
    "secondKey": {
      "Type": "AWS::IAM::AccessKey",
      "Properties": {
        "UserName": "myuser"
      }
    },
    "myuser": {
      "Type": "AWS::IAM::User",
      "Properties": {
        "LoginProfile": {
          "Password": "myP@ssW0rd"
        },
        "Path": "/"
      }
    },
    "firstKey": {
      "Type": "AWS::IAM::AccessKey",
      "Properties": {
        "UserName": "myuser"
      }
    }
  }
}

AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
    myuser:
      Type: AWS::IAM::User
      Properties:
        Path: "/"
        LoginProfile:
          Password: myP@ssW0rd
    firstKey:
      Type: AWS::IAM::AccessKey
      Properties:
        UserName: !Ref myuser
    secondKey:
      Type: AWS::IAM::AccessKey
      Properties:
        UserName: !Ref myuser