AWS Config Rule: Access Keys Rotated

Description: Checks if the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if the access keys have not been rotated for more than maxAccessKeyAge number of days.

Trigger type: Periodic

AWS Region: All supported AWS regions

To resolve manually, sign up to your AWS Management Console and navigate to IAM (Identity and Access Management).

Select Users in your left menu, and find the User where the key has not been rotated according to the AWS Config Rule.

Go to the Security credentials tab, and Create access key. Take note of the new Access Key and Secret Access Key as they are only shown once.

When rotating access keys, you should follow these steps:

• Update all your applications to use the new access key and validate that the applications are working.
  
• Change the state of the previous access key to inactive.
  
• Validate that your applications are still working as expected.
  
• Delete the inactive access key.
  

Optionally you can do it with the command line, following the next steps:

This will return the following:

You can list the current Access Keys for a particular user with the command:

And based on the timestamp, you can recognize which one you should make inactive. Use the following command to do it:

When validated that the new Access Key works as expected, you can delete the previous one

You can resolve with StackZone by enabling the Access Key Deactivate Remediation.

Go to Baseline Services > Config Rules Global > IAM > Remediations and enable Access Key Deactivate Remediation

By default, all keys older than 90 days are deleted and this is an automated process. THIS COULD DISRUPT YOUR SERVICES OPERATION, use it with caution.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here