In this post I want to discuss and highlight a security best practice that should be adopted as a part of your security processes and procedures, this being the need to audit and rotate your AWS security credentials on a periodic basis.
As we know, we live in a world where cyber security attacks are all too common, and although there are complex and advanced tools and services we can put in place to reduce the attack surface, we can also introduce and adopt some simple but very effective controls. One entry point attackers use to gain access to restricted environments is to comprise usernames and passwords, effectively a user’s credentials, which may then grant the attacker privileges to accomplish specific tasks. So what are some of the ways to reduce this risk?
By rotating our AWS credentials regularly we don’t leave our account open to long-lived credentials being used which can lead to unnecessary risks of being compromised. So getting into the habit of using short-term credentials ultimately makes the associated user accounts more secure.
Where possible when accessing AWS resources we should try to use temporary credentials, such as those provided by IAM roles, but this is not always feasible for every use case. As a result, there will be times, mainly for human user accounts, when you’ll be using credentials within your AWS account. These accounts should be audited to ensure that they are still being used and if so, highlight which credentials should be rotated to reduce your security risk. If a set of credentials is compromised it can lead to huge security breaches, denial of access to your legitimate accounts, wide-scale outages, and much more. In addition to performing regular audits, you should set a password expiration period within your IAM password policy to ensure that the user’s password credentials are forcibly changed on a regular basis.
AWS Credential Report
The AWS credential report provides a great way to audit all of the AWS credentials used within your account. This report can be generated via the AWS CLI, SDK, or the AWS Management Console, whichever method you use you will be able to obtain a report that will show the credential details of all your users. This credential report can be downloaded once every 4 hours as a *.CSV file allowing you to review and filter the data.
Using this report, you will be able to see information on the following for each user:
- The username
- The Amazon Resource Name (ARN) of the user
- When the user was first created
- If a password is enabled for the user
- When the password was last used
- When the password was last changed
- When the password is due to be rotated (based on the password policy settings)
- If access keys are enabled
- If multi-factor authentication is configured for the user
- If the user has active access keys
- When the access keys were last used
- When the access keys were last rotated
- The region in which the access keys were used
- The service used in conjunction with the access keys
- If the user has a 2nd set of access keys (to make key rotation easier)
- When the 2nd set of access keys was last used
- When the 2nd set of access keys was last rotated
- The region in which the 2nd set of access keys was used
- The service used in conjunction with the 2nd set of access keys
- If the user has an X.509 signing certificate
- When the signing certificate was last rotated
- If the user has a 2nd X.509 signing certificate
As you can see, this is quite an extensive list of parameters regarding the user credentials accessing your AWS account. Using this data will help you formulate an appropriate policy and process to rotate your credentials on a regular basis.
Looking at the following small sample taken from a credential report we can identify some key changes that should be made immediately:
User 2, and User 3 have not had their passwords changed for years as seen in the ‘password_last_changed’ column! This is a massive risk to have such long-lived credentials.
User 5 should also have their password changed as it has been a number of months since the last credential rotation.
User 2 hasn’t logged into the AWS account for approximately 3 years, so this user should have their password credentials removed altogether.
User 3 is still an active user as we can see that the last login was in the past few days, indicated by ‘password_last_used’, however their password has not been changed for 7 years!
To resolve these issues with long-lived credentials being used, the password policy should be edited to ensure that a password expiration is enabled and configured to at least a monthly rotation by setting a 30-day expiration.
Users 1 and 4 in this scenario do not have access to the AWS Management Console, however, we should also check access keys access, so let’s take a look:
Here we can see that User 1 and User 4 do have programmatic access using access keys as seen by the ‘TRUE’ value under ‘access_key_1_active’. However, their credentials have not been rotated for a number of years, again this poses a high security risk.
User 2 does have access keys, however, it is inactive as seen by the ‘FALSE’ value, also, their access keys have NEVER been used. As a result, these access keys should be deactivated and deleted, and programmatic access removed for this user.
User 3 has active access keys, but again they have not been used for years, so again these should be deleted.
User 5 does not have any access keys associated.
Rotating access keys
Much like passwords, access keys for users should also be regularly changed to ensure that you are not using long-lived credentials that could be compromised. These can be changed via the AWS CLI or the AWS Management Console, and instructions on how to achieve this can be found here.
AWS recommends that you rotate your access keys at least once every 90 days, and you can use the AWS credential report to identify users that should be addressed. You can alternatively use the ‘Access key age’ column within the IAM users dashboard. This will show the number of days since the oldest active access key was created.
Automatically rotate IAM user access keys at scale with AWS Organizations and AWS Secrets Manager
If you have hundreds or even thousands of users using programmatic access with access keys, then you’ll want to look at more of an automated approach to managing access key rotation. To understand how this can be achieved using AWS CloudFormation, Amazon CloudWatch Events, AWS Identity and Access Management, AWS Lambda, AWS Organizations, Amazon S3, Amazon SES, and AWS Secrets Manager take a look here.
Learn more about AWS Identity and access management
The AWS Identity and Access Management service, commonly known as IAM is one of the first AWS security services that you will come across when working with AWS. It’s the central service for administering user accounts allowing them to gain access to your AWS resources. From user creation, password policies, access policies, roles, groups, and more, understanding AWS IAM is essential if you are looking to enforce stringent security controls within your AWS accounts.
To get a solid understanding, and hands-on experience of all things to do with AWS IAM, take a look at our Learning Path: How to manage and secure your environment using AWS Identity & Access Management (IAM).
Upon completion, you will:
- Understand what is meant by identity and access management and the difference between authentication, authorization, and access control
- Learn the components of IAM as well as its reporting features
- Learn the essentials of users within IAM
- Understand how to create, manage, and configure users using security best practices
- Learn how to manage multiple users with IAM User Groups
- Gain a foundational understanding of IAM roles
- Understand how to use AWS service roles to access AWS resources on your behalf
- Learn how to use IAM user roles to grant temporary access to users
- Understand how to use roles for federated access
- Understand the different types of IAM policies you can expect to see when working within IAM
- Learn how to implement policies effectively to build secure and robust access controls for your users
- Learn how to read IAM policies to understand the permissions they are granting and restricting
- Learn how policy evaluation logic operates
- Understand the core principles of cross-account access using IAM
To learn more about our AWS learning paths and certifications or to schedule a demo