There should only be one active access key per IAM user

Description

Access keys are long-term credentials for an IAM user or the AWS account ‘root’ user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).

Rationale

Access keys are long-term credentials for an IAM user or the AWS account ‘root’ user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API. One of the best ways to protect your account is to not allow users to have multiple access keys.

Remediation

From the console

Perform the following to manage active keys (IAM user console access).

  1. Sign in to the AWS Management Console.
  2. Click Users.
  3. Click Security Credentials.
  4. Choose one access key that is less than 90 days old. Test your application(s) to make sure that the chosen access key is working. This should be the only active key used by this IAM user to access AWS resources programmatically.
  5. Identify your non-operational access keys.
  6. Update the following credentials:
    • Administrator: Click Make Inactive for non-operational keys.
    • IAM User: Click Make Inactive for non-operational keys.

From the command line

  1. Using the IAM user and access key information provided, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working.

  2. Run the following command using the IAM user name and the non-operational access key IDs to deactivate the unnecessary key(s).

    aws iam update-access-key
    
  3. To confirm that the selected access key pair has been successfully deactivated run the list-access-keys audit command again for that IAM User.

    aws iam list-access-key
    

The command output should expose the metadata for each access key associated with the IAM user. If the non-operational key pair(s) Status is set to inactive, the key has been successfully deactivated and the IAM user access configuration adheres now to this recommendation.

References

  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html
  3. https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html
  4. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html