How to Find AWS IAM Access Keys Not Rotated Within 90 Days
Access keys consist of an access key ID and secret access key which are used to sign programmatic requests that you make to AWS.
AWS users need their own access keys to make programmatic calls to AWS from:
- the AWS Command Line Interface (AWS CLI),
- Tools for Windows PowerShell,
- the AWS SDKs,
- or direct HTTP calls using the APIs for individual AWS services.
It is recommended that all access keys be regularly rotated.
info
This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity medium.
Prerequisites
This guide assumes that you have already installed and configured Fix Inventory to collect your AWS resources.
Directions
-
Execute the following
search
command in Fix Inventory Shell:> search is(aws_iam_access_key) and access_key_last_used.last_rotated<-90d
kind=aws_iam_access_key, ..., region=fixinventory-poweruser
kind=aws_iam_access_key, ..., account=poweruser-team -
Pipe the
search
command into thedump
command:> search is(aws_iam_access_key) and access_key_last_used.last_rotated<-90d | dump
reported:
id: /aws/iam/123
name: some-name
ctime: '2022-12-05T22:53:14Z'
kind: aws_iam_access_key
age: 2mo28dThe command output will list the details of all non-compliant
aws_iam_access_key
resources.
Remediation
- Remove all listed access keys.
note
Please refer to the AWS IAM documentation for details.