AWSOverview
Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.
Rationale
Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.
Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.
Remediation guidance
AWS Remediation
Service-wide fix (recommended): reduce or eliminate long-lived IAM user access keys. Use IAM roles, AWS IAM Identity Center, instance profiles, task roles, and workload federation where possible.
When to use service-wide remediation
Use the service-wide path when many users still have access keys. Rotating keys helps, but replacing long-lived keys with temporary credentials is the better long-term fix.
Console
- Open IAM and go to
Users. - Select the affected user.
- Open
Security credentials. - Create a new access key only if the workload still requires one.
- Update the application or automation to use the new key.
- Set the old key to
Inactive. - After confirming nothing depends on the old key, delete it.
AWS CLI
Create a new key for the user:
aws iam create-access-key --user-name <user-name>
Check whether the old key is still being used:
aws iam get-access-key-last-used --access-key-id <old-access-key-id>
Disable the old key after the new key is deployed:
aws iam update-access-key \
--user-name <user-name> \
--access-key-id <old-access-key-id> \
--status Inactive
Delete the old key after validation:
aws iam delete-access-key \
--user-name <user-name> \
--access-key-id <old-access-key-id>
List the user keys and creation dates:
aws iam list-access-keys --user-name <user-name>
Operational notes
- IAM users can have at most two active access keys, so rotation usually means creating the second key, moving workloads, then disabling and deleting the old one.
- If the key belongs to legacy automation, use this remediation window to move that automation to an IAM role instead of issuing another long-lived key.
- Do not rotate blindly on production systems without a dependency check. Old scripts, CI jobs, or third-party integrations often still depend on the previous key.
References
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id-credentials-access-keys-update.html
- https://docs.aws.amazon.com/cli/latest/reference/iam/create-access-key.html
- https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html
- https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccessKey.html
Query logic
These are the stored checks tied to this control.
Access keys are rotated every 90 days or less
Connectors
Covered asset types
Expected check: eq []
AWSIAM4{...AssetFragment}
