Identify and invalidate (disable) any exposed Amazon IAM access keys in order to protect your AWS resources against unapproved access. Exposed access keys (access key ID and corresponding secret access key) pose a high security risk to your AWS account as it could lead to excessive charges from unauthorized activity or abuse and can violate the AWS Customer Agreement.
This rule can help you with the following compliance standards:
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Anyone who has your IAM access keys has the same level of access to your AWS resources as you do, therefore the potential for unintended access with these IAM credentials is high and dangerous, that's why finding and disabling any exposed IAM credentials is crucial for keeping your AWS account secure. For example, once this rule is enabled, if an inexperienced user within your organization publishes an IAM access key pair to a public repository such as GitHub, Cloud Conformity will identify the exposed keys and you will be notified to disable these keys.
Note: This conformity check does not guarantee the identification of all exposed access keys. You are ultimately responsible for the safety and security of your AWS IAM access keys.
Audit
To identify any exposed AWS IAM access keys using Amazon Trusted Advisor service, perform the following:
Remediation / Resolution
To invalidate (disable) exposed IAM access keys so that these credentials can no longer be used to access your AWS resources, perform the following actions:
Note: Cloud Conformity recommends disabling exposed IAM credentials instead of deleting them, as disabled credentials can be restored if needed (for example, in case an application that utilizes these credentials is unexpectedly affected).References
- AWS Documentation
- AWS IAM FAQs
- AWS Customer Agreement
- AWS Trusted Advisor
- Trusted Advisor FAQs
- Trusted Advisor Best Practices (Checks)
- Best Practices for Managing AWS Access Keys
- Managing Access Keys for IAM Users
- AWS Command Line Interface (CLI) Documentation
- iam
- update-access-key
- support
- describe-trusted-advisor-checks
- refresh-trusted-advisor-check
- describe-trusted-advisor-check-refresh-statuses
- describe-trusted-advisor-check-result