Access keys are created during initial user setup for IAM users with a console password
Description
By default, the AWS console automatically generates access keys during user creation, resulting in the creation of unnecessary keys. This practice not only leads to the generation of superfluous credentials but also increases the administrative overhead required to manage, audit, and rotate these keys.
Best Practices:
- Avoid automatic creation of access keys during initial user setup.
- Delete any automatically generated access keys that are not needed.
- Empower users to create their own access keys through their profile settings, ensuring they only generate keys when required.
- Implement an additional step in the user setup process that requires users to actively create access keys. This provides a clear indication that the keys are necessary for the user’s role and signals to the organization that these keys may be used for authentication within their environment.
📘 Note
Even if you known the user will need access keys, require them to create the keys themselves, or put in a support ticket to have them created as a separate step from user creation.
Fix - Runtime
AWS Console
To delete access keys belonging to other users you will need Administrator permissions. IAM users can manage access keys on their profiles.
To delete access keys that do not pass the Audit, follow these steps:
- Log in to the AWS Management Console at https://console.aws.amazon.com/.
- Navigate to Services > IAM > Users > Security Credentials.
- As an Administrator: click Delete for keys that were created at the same time as the user profile but have not been used;
or
As an IAM User: click Delete for keys that were created at the same time as the user profile but have not been used.
CLI command
To delete access keys, use the following command:
aws iam delete-access-key
📘 Note
All access keys should be deleted at time of profile creation.