Ensure access keys are rotated every 90 days or less
Error: Access keys are not rotated every 90 days or less
Bridgecrew Policy ID: BC_AWS_IAM_4
Access keys are not rotated every 90 days or less
Access keys consist of an access key ID and secret access key. They are used to sign programmatic requests made to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, and direct HTTP calls using the APIs for individual AWS services.
We recommend regularly rotating all access keys to reduce the potential for an old, lost or stolen access key to be used on a compromised or terminated account.
Fix - Runtime
To manually rotate access keys using the AWS Console, follow these steps:
- Log in to the AWS Management Console at https://console.aws.amazon.com/.
- Navigate to IAM Services.
- Select Users.
- Select Security Credentials.
- As an Administrator: select Make Inactive for keys that have not been rotated in 90 Days or as an IAM User select Make Inactive or Delete for keys which have not been rotated or used in 90 Days.
- Select Create Access Key.
- Update programmatic call with new Access Key credentials.
To change the password policy, use the following command:
aws iam update-access-key aws iam create-access-key aws iam delete-access-key
Updated almost 2 years ago