AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
User Account Should Not Have Multiple Access Keys
More Info:
Multiple access keys for the same user should be avoided. There should be just 1 access key per user account.
Risk Level
Medium
Address
Security
Compliance Standards
CISAWS, CBP, HITRUST
Triage and Remediation
How to Prevent
To prevent user accounts from having multiple access keys in AWS IAM using the AWS Management Console, follow these steps:
-
Navigate to IAM Dashboard:
- Sign in to the AWS Management Console.
- Open the IAM (Identity and Access Management) dashboard by selecting “IAM” from the services menu.
-
Access User Details:
- In the IAM dashboard, select “Users” from the left-hand navigation pane.
- Click on the username of the user you want to manage.
-
Review Access Keys:
- In the user details page, select the “Security credentials” tab.
- Under the “Access keys” section, review the list of access keys associated with the user.
-
Enforce Single Access Key Policy:
- Ensure that each user has only one active access key.
- If a user has multiple access keys, consider implementing a policy or standard operating procedure (SOP) that restricts the creation of multiple access keys per user.
- Educate users and administrators on the importance of maintaining a single access key for security and management purposes.
By following these steps, you can help prevent the misconfiguration of user accounts having multiple access keys in AWS IAM using the AWS Management Console.
To prevent a user account from having multiple access keys in AWS IAM using the AWS CLI, you can follow these steps:
-
Create a New IAM User Without Access Keys: Ensure that when you create a new IAM user, you do not create multiple access keys for them. Use the following command to create a new IAM user without any access keys:
aws iam create-user --user-name NewUserName -
Attach Policies to the User: Attach the necessary policies to the user without creating multiple access keys. For example, to attach the
AmazonS3ReadOnlyAccesspolicy:aws iam attach-user-policy --user-name NewUserName --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess -
Monitor and List Access Keys: Regularly monitor and list the access keys for each user to ensure they do not have multiple access keys. Use the following command to list access keys for a specific user:
aws iam list-access-keys --user-name ExistingUserName -
Enforce Policy to Restrict Multiple Access Keys: Create and attach an IAM policy that restricts users from creating multiple access keys. This can be done by defining a policy that denies the
iam:CreateAccessKeyaction if the user already has an active access key. Here is an example of such a policy:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "iam:CreateAccessKey", "Resource": "arn:aws:iam::*:user/${aws:username}", "Condition": { "NumericGreaterThan": { "aws:RequestTag/AccessKeyCount": "1" } } } ] }Attach this policy to the users or groups as needed:
aws iam put-user-policy --user-name ExistingUserName --policy-name RestrictMultipleAccessKeys --policy-document file://policy.json
By following these steps, you can prevent IAM users from having multiple access keys using the AWS CLI.
To prevent a user account from having multiple access keys in IAM using Python scripts, you can follow these steps:
-
Set Up AWS SDK (Boto3) for Python:
- Ensure you have the AWS SDK for Python (Boto3) installed. You can install it using pip if you haven’t already:
pip install boto3
- Ensure you have the AWS SDK for Python (Boto3) installed. You can install it using pip if you haven’t already:
-
Create a Python Script to List Access Keys:
- Write a Python script to list all access keys for a given IAM user. This will help you identify if a user has multiple access keys.
import boto3 # Initialize a session using Amazon IAM session = boto3.Session(profile_name='your_profile_name') iam_client = session.client('iam') # Function to list access keys for a user def list_access_keys(user_name): response = iam_client.list_access_keys(UserName=user_name) return response['AccessKeyMetadata'] # Example usage user_name = 'your_iam_user_name' access_keys = list_access_keys(user_name) print(f"Access keys for user {user_name}: {access_keys}") -
Check for Multiple Access Keys:
- Extend the script to check if a user has more than one access key and print a warning message if they do.
def check_multiple_access_keys(user_name): access_keys = list_access_keys(user_name) if len(access_keys) > 1: print(f"Warning: User {user_name} has multiple access keys.") else: print(f"User {user_name} has a single access key or none.") # Example usage check_multiple_access_keys(user_name) -
Automate the Check for All Users:
- Automate the process to check all IAM users in your account and ensure none of them have multiple access keys.
def list_all_users(): response = iam_client.list_users() return response['Users'] def check_all_users_for_multiple_access_keys(): users = list_all_users() for user in users: user_name = user['UserName'] check_multiple_access_keys(user_name) # Example usage check_all_users_for_multiple_access_keys()
By following these steps, you can create a Python script that checks for multiple access keys for IAM users and helps prevent this misconfiguration. This script can be run periodically or integrated into your CI/CD pipeline to ensure compliance.