Access keys are not rotated every 90 days or less

Description

Access keys are composed of an access key ID and a secret access key. These are utilized to authenticate and sign programmatic requests sent to AWS services. AWS users must have their own access keys in order to initiate programmatic interactions with AWS, whether through the AWS Command Line Interface (AWS CLI), AWS Tools for Windows PowerShell, AWS SDKs, or by making direct HTTP requests via the APIs of individual AWS services.

It is recommended to implement regular rotation of all access keys to mitigate the risk of unauthorized access resulting from outdated, lost, or compromised keys associated with active or terminated accounts.

Fix - Runtime

AWS Console

To manually rotate access keys using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Navigate to IAM Services.
  3. Select Users.
  4. Select Security Credentials.
  5. As an Administrator: select Make Inactive for keys that have not been rotated in 90 Days or as an IAM User select Make Inactive or Delete for keys which have not been rotated or used in 90 Days.
  6. Select Create Access Key.
  7. Update programmatic call with new Access Key credentials.
CLI Command

To change the password policy, use the following command:

aws iam update-access-key 
aws iam create-access-key 
aws iam delete-access-key
ReLambda