Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Exposed IAM Access Keys

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Extreme (act today)
Rule ID: TrustedAdvisor-003

Identify and invalidate (disable) any exposed Amazon IAM access keys in order to protect your AWS resources against unapproved access. Exposed access keys (access key ID and corresponding secret access key) pose a high security risk to your AWS account as it could lead to excessive charges from unauthorized activity or abuse and can violate the AWS Customer Agreement.

This rule can help you with the following compliance standards:

  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Anyone who has your IAM access keys has the same level of access to your AWS resources as you do, therefore the potential for unintended access with these IAM credentials is high and dangerous, that's why finding and disabling any exposed IAM credentials is crucial for keeping your AWS account secure. For example, once this rule is enabled, if an inexperienced user within your organization publishes an IAM access key pair to a public repository such as GitHub, Cloud Conformity will identify the exposed keys and you will be notified to disable these keys.

Note: This conformity check does not guarantee the identification of all exposed access keys. You are ultimately responsible for the safety and security of your AWS IAM access keys.


Audit

To identify any exposed AWS IAM access keys using Amazon Trusted Advisor service, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Trusted Advisor dashboard at https://console.aws.amazon.com/trustedadvisor/.

03 In the left navigation panel, choose Security, then click the Refresh button:

Refresh Button

to refresh the security checks.

04 Click on the Exposed Access Keys tab to expand the details panel and check for any IAM credentials listed on this panel. If one or more IAM access keys were flagged by the selected Amazon Trusted Advisor check, these keys have been exposed to the public and must be invalidated in order to protect your AWS resources from unauthorized access.

Using AWS CLI

01 Run describe-trusted-advisor-checks command (OSX/Linux/UNIX) using custom query filters to get the unique ID of the Exposed Access Keys check, available for the selected region:

aws support describe-trusted-advisor-checks
	--region us-east-1
	--language en
	--query "checks[?name=='Exposed Access Keys'].id"

02 The command output should return the requested Trusted Advisor check ID:

aaabbbcccd

03 Run refresh-trusted-advisor-check command (OSX/Linux/UNIX) using the Exposed Access Keys check ID returned at the previous step as identifier to request a refresh of the Trusted Advisor check (the command does not produce an output):

aws support refresh-trusted-advisor-check
	--region us-east-1
	--check-id aaabbbcccd

04 Now run describe-trusted-advisor-check-refresh-statuses command (OSX/Linux/UNIX) using custom query filters and the same check ID as identifier to return the refresh request status of the selected AWS Trusted Advisor check:

aws support describe-trusted-advisor-check-refresh-statuses
	--region us-east-1
	--check-id aaabbbcccd

05 The command output should return the check refresh request status. If the refresh request is complete, the status returned should be "success", i.e.:

[
    "success"
]

06 Run describe-trusted-advisor-check-result command (OSX/Linux/UNIX) using custom query filters to return the IDs of the IAM access keys that were flagged (listed) by the selected Trusted Advisor check:

aws support describe-trusted-advisor-check-result
	--region us-east-1
	--language en
	--check-id aaabbbcccd
	--output table
	--query 'result.{FlaggedResources:flaggedResources[*].resourceId}'

07 The command output should return a table with the flagged IAM access keys IDs:

-------------------------------------
| DescribeTrustedAdvisorCheckResult |
+-----------------------------------+
|       AAAABBBBCCCCDDDDEEEE        |
|       CCCCDDDDEEEEFFFFGGGG        |
+-----------------------------------+

If the describe-trusted-advisor-check-result command output returns one or more IAM access keys IDs, as shown in the output example above, these keys have been exposed to the public and must be disabled in order to protect your AWS resources from unintended access.

Remediation / Resolution

To invalidate (disable) exposed IAM access keys so that these credentials can no longer be used to access your AWS resources, perform the following actions:

Note: Cloud Conformity recommends disabling exposed IAM credentials instead of deleting them, as disabled credentials can be restored if needed (for example, in case an application that utilizes these credentials is unexpectedly affected).

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users.

04 Click on the IAM user name associated with the exposed access keys.

05 On the Summary page, select Security Credentials tab.

06 Inside Access Keys section, locate the exposed access key pair (see Audit section to identify the right IAM credentials) and disable it by clicking the Make Inactive link:

Make Inactive

accessible in the Status column. The IAM resource status should change from Active to Inactive.

07 Repeat steps no. 4 – 6 to invalidate other exposed IAM access keys, available in your AWS account.

Using AWS CLI

01 Run update-access-key command (OSX/Linux/UNIX) with the --status parameter to disable the exposed AWS IAM access keys (see Audit section to identify the right credentials). The following command example invalidates an access key with the ID "AAAABBBBCCCCDDDDEEEE", created for an IAM user with the name "ec2-app-manager". If the --user-name parameter is not specified, the IAM user name is determined implicitly based on the AWS access key ID used to sign the update-access-key command request. If successful, the command does not produce an output:

aws iam update-access-key
	--access-key-id AAAABBBBCCCCDDDDEEEE
	--status Inactive
	--user-name ec2-app-manager

02 Repeat step no. 1 to disable other exposed IAM access keys, available in your AWS account.

References

Publication date Nov 14, 2017