User Account Should Not Have Multiple Access Keys

More Info:

Multiple access keys for the same user should be avoided. There should be just 1 access key per user account.

Risk Level

Medium

Address

Security

Compliance Standards

CISAWS, CBP, HITRUST

Triage and Remediation

How to Prevent

Using Console

Using CLI

To prevent a user account from having multiple access keys in AWS IAM using the AWS CLI, you can follow these steps:

Create a New IAM User Without Access Keys: Ensure that when you create a new IAM user, you do not create multiple access keys for them. Use the following command to create a new IAM user without any access keys:
```
aws iam create-user --user-name NewUserName
```
Attach Policies to the User: Attach the necessary policies to the user without creating multiple access keys. For example, to attach the AmazonS3ReadOnlyAccess policy:
```
aws iam attach-user-policy --user-name NewUserName --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
```
Monitor and List Access Keys: Regularly monitor and list the access keys for each user to ensure they do not have multiple access keys. Use the following command to list access keys for a specific user:
```
aws iam list-access-keys --user-name ExistingUserName
```

Enforce Policy to Restrict Multiple Access Keys: Create and attach an IAM policy that restricts users from creating multiple access keys. This can be done by defining a policy that denies the iam:CreateAccessKey action if the user already has an active access key. Here is an example of such a policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "iam:CreateAccessKey",
      "Resource": "arn:aws:iam::*:user/${aws:username}",
      "Condition": {
        "NumericGreaterThan": {
          "aws:RequestTag/AccessKeyCount": "1"
        }
      }
    }
  ]
}

Attach this policy to the users or groups as needed:

aws iam put-user-policy --user-name ExistingUserName --policy-name RestrictMultipleAccessKeys --policy-document file://policy.json

By following these steps, you can prevent IAM users from having multiple access keys using the AWS CLI.

Using Python

To prevent a user account from having multiple access keys in IAM using Python scripts, you can follow these steps:

Set Up AWS SDK (Boto3) for Python:
- Ensure you have the AWS SDK for Python (Boto3) installed. You can install it using pip if you haven’t already:
  pip install boto3

Create a Python Script to List Access Keys:

Write a Python script to list all access keys for a given IAM user. This will help you identify if a user has multiple access keys.

import boto3

# Initialize a session using Amazon IAM
session = boto3.Session(profile_name='your_profile_name')
iam_client = session.client('iam')

# Function to list access keys for a user
def list_access_keys(user_name):
    response = iam_client.list_access_keys(UserName=user_name)
    return response['AccessKeyMetadata']

# Example usage
user_name = 'your_iam_user_name'
access_keys = list_access_keys(user_name)
print(f"Access keys for user {user_name}: {access_keys}")

Check for Multiple Access Keys:

Extend the script to check if a user has more than one access key and print a warning message if they do.

def check_multiple_access_keys(user_name):
    access_keys = list_access_keys(user_name)
    if len(access_keys) > 1:
        print(f"Warning: User {user_name} has multiple access keys.")
    else:
        print(f"User {user_name} has a single access key or none.")

# Example usage
check_multiple_access_keys(user_name)

Automate the Check for All Users:

Automate the process to check all IAM users in your account and ensure none of them have multiple access keys.

def list_all_users():
    response = iam_client.list_users()
    return response['Users']

def check_all_users_for_multiple_access_keys():
    users = list_all_users()
    for user in users:
        user_name = user['UserName']
        check_multiple_access_keys(user_name)

# Example usage
check_all_users_for_multiple_access_keys()

By following these steps, you can create a Python script that checks for multiple access keys for IAM users and helps prevent this misconfiguration. This script can be run periodically or integrated into your CI/CD pipeline to ensure compliance.

Additional Reading:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

User Account Should Not Have Multiple Access Keys

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​How to Prevent

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

How to Prevent

Additional Reading: