Access keys are created during initial user setup for IAM users with a console password
Description
The AWS console is set to create access keys by default. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials, it also generates unnecessary management work to audit and rotate these keys.
We recommend:
- The initial user setup does not include the creation of access keys.
- Automatically generated access keys should be deleted.
- Each user should be responsible for creating the correct access keys on their profile.
Requiring additional steps be taken by the user after their profile has been created will give a stronger indication of intent that access keys are:
[a] necessary for their work, and
[b] once the access key is established on an account that the keys may be in use somewhere in the organization.
📘 Note
Even if you known the user will need access keys, require them to create the keys themselves, or put in a support ticket to have them created as a separate step from user creation.
Fix - Runtime
AWS Console
To delete access keys belonging to other users you will need Administrator permissions. IAM users can manage access keys on their profiles.
To delete access keys that do not pass the Audit, follow these steps:
- Log in to the AWS Management Console at https://console.aws.amazon.com/.
- Navigate to Services > IAM > Users > Security Credentials.
- As an Administrator: click Delete for keys that were created at the same time as the user profile but have not been used;
or
As an IAM User: click Delete for keys that were created at the same time as the user profile but have not been used.
CLI command
To delete access keys, use the following command:
aws iam delete-access-key
📘 Note
All access keys should be deleted at time of profile creation.