There should only be one active access key per IAM user
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Description
Access keys are long-term credentials for an IAM user or the AWS account ‘root’ user.
You can use access keys to sign programmatic requests to the AWS CLI or AWS API
(directly or using the AWS SDK).
Rationale
Access keys are long-term credentials for an IAM user or the AWS account ‘root’ user.
You can use access keys to sign programmatic requests to the AWS CLI or AWS API.
One of the best ways to protect your account is to not allow users to have multiple
access keys.
From the console
Perform the following to manage active keys (IAM user console access).
- Sign in to the AWS Management Console.
- Click Users.
- Click Security Credentials.
- Choose one access key that is less than 90 days old. Test your application(s) to make sure that the
chosen access key is working. This should be the only active key used by this IAM user to access AWS
resources programmatically.
- Identify your non-operational access keys.
- Update the following credentials:
- Administrator: Click Make Inactive for non-operational keys.
- IAM User: Click Make Inactive for non-operational keys.
From the command line
Using the IAM user and access key information provided,
choose one access key that is less than 90 days old. This should be the only
active key used by this IAM user to access AWS resources programmatically.
Test your application(s) to make sure that the chosen access key is working.
Run the following command using the IAM user name and the
non-operational access key IDs to deactivate the unnecessary key(s).
aws iam update-access-key
To confirm that the selected access key pair has been successfully deactivated
run the list-access-keys audit command again for that IAM User.
The command output should expose the metadata for each access key
associated with the IAM user. If the non-operational key pair(s) Status is set to
inactive, the key has been successfully deactivated and the IAM user access
configuration adheres now to this recommendation.
References
- https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html
- https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html