CreateAccessKey
Event Information
- The CreateAccessKey event in AWS for IAM refers to the action of creating an access key for an IAM user.
- An access key is a set of credentials (access key ID and secret access key) that allows programmatic access to AWS services and resources.
- This event indicates that a new access key has been generated for an IAM user, which can be used to authenticate and authorize API requests to AWS services.
Examples
- Unauthorized access: Creating an access key without proper authorization can lead to unauthorized individuals gaining access to sensitive resources and data within the AWS account.
- Credential exposure: If the access key is not securely stored or transmitted, it can be intercepted or leaked, potentially exposing the AWS account to unauthorized access.
- Lack of accountability: Without proper monitoring and auditing, it becomes difficult to track and attribute actions performed using the access key, making it challenging to identify and mitigate security incidents.
Remediation
Using Console
-
Example 1: Enforce strong password policy for IAM users
- Step 1: Login to the AWS Management Console.
- Step 2: Go to the IAM service.
- Step 3: Click on “Account settings” in the left navigation pane.
- Step 4: Under the “Password policy” section, click on “Edit”.
- Step 5: Configure the password policy settings according to your requirements, such as minimum password length, password complexity requirements, and password expiration.
- Step 6: Click on “Apply password policy” to save the changes.
-
Example 2: Enable multi-factor authentication (MFA) for IAM users
- Step 1: Login to the AWS Management Console.
- Step 2: Go to the IAM service.
- Step 3: Click on “Users” in the left navigation pane.
- Step 4: Select the IAM user for which you want to enable MFA.
- Step 5: Click on the “Security credentials” tab.
- Step 6: Under the “Multi-factor authentication (MFA)” section, click on “Manage MFA”.
- Step 7: Follow the on-screen instructions to set up MFA for the user, either by using a virtual MFA device or a hardware MFA device.
-
Example 3: Enable AWS CloudTrail for logging IAM events
- Step 1: Login to the AWS Management Console.
- Step 2: Go to the CloudTrail service.
- Step 3: Click on “Trails” in the left navigation pane.
- Step 4: Click on “Create trail”.
- Step 5: Provide a name for the trail and choose the S3 bucket where the CloudTrail logs will be stored.
- Step 6: Under the “Management events” section, enable logging for IAM events.
- Step 7: Configure any additional settings as required, such as log file encryption and log file validation.
- Step 8: Click on “Create” to create the trail and start logging IAM events.
Using CLI
- Ensure IAM users have strong passwords:
- Use the
update-login-profile
command to enforce a strong password policy for IAM users:aws iam update-login-profile --user-name <user-name> --password <new-password> --password-reset-required
- Enable multi-factor authentication (MFA) for IAM users:
- Use the
enable-mfa-device
command to enable MFA for an IAM user:aws iam enable-mfa-device --user-name <user-name> --serial-number <mfa-serial-number> --authentication-code1 <code1> --authentication-code2 <code2>
- Rotate access keys regularly:
- Use the
create-access-key
command to generate a new access key for an IAM user:aws iam create-access-key --user-name <user-name>
- Use the
delete-access-key
command to delete the old access key:aws iam delete-access-key --user-name <user-name> --access-key-id <access-key-id>
Using Python
- Ensure IAM users have strong passwords:
- Use the
boto3
library in Python to retrieve a list of IAM users. - For each user, check if their password meets the desired complexity requirements (e.g., minimum length, use of uppercase, lowercase, numbers, and special characters).
- If a user’s password does not meet the requirements, use the
update_login_profile
method to force a password reset for that user.
- Use the
import boto3
def enforce_password_policy():
iam_client = boto3.client('iam')
users = iam_client.list_users()['Users']
for user in users:
password_policy = iam_client.get_account_password_policy()
password_requirements = password_policy['PasswordPolicy']
if not password_requirements['RequireUppercaseCharacters']:
# Implement your logic to enforce uppercase characters requirement
pass
if not password_requirements['RequireLowercaseCharacters']:
# Implement your logic to enforce lowercase characters requirement
pass
if not password_requirements['RequireNumbers']:
# Implement your logic to enforce numbers requirement
pass
if not password_requirements['RequireSymbols']:
# Implement your logic to enforce special characters requirement
pass
if password_requirements['MinimumPasswordLength'] < 8:
# Implement your logic to enforce minimum password length requirement
pass
# Use the update_login_profile method to force a password reset for the user if needed
# iam_client.update_login_profile(UserName=user['UserName'], PasswordResetRequired=True)
- Monitor and log IAM activity:
- Use the
boto3
library in Python to enable CloudTrail for the AWS account. - Configure CloudTrail to log IAM events by specifying the appropriate resource ARNs and event types.
- Use the
boto3
library to retrieve and analyze the CloudTrail logs for IAM-related events.
- Use the
import boto3
def enable_cloudtrail():
cloudtrail_client = boto3.client('cloudtrail')
# Enable CloudTrail for the AWS account
cloudtrail_client.create_trail(
Name='MyCloudTrail',
S3BucketName='my-cloudtrail-bucket',
IsMultiRegionTrail=True
)
# Configure CloudTrail to log IAM events
cloudtrail_client.update_trail(
Name='MyCloudTrail',
IncludeGlobalServiceEvents=True,
DataEvents=[
{
'ReadWriteType': 'All',
'Resources': [
'arn:aws:iam::123456789012:user/*',
'arn:aws:iam::123456789012:role/*'
]
}
]
)
def analyze_cloudtrail_logs():
cloudtrail_client = boto3.client('cloudtrail')
# Retrieve CloudTrail logs for IAM-related events
response = cloudtrail_client.lookup_events(
LookupAttributes=[
{
'AttributeKey': 'EventName',
'AttributeValue': 'CreateUser'
}
]
)
# Analyze the CloudTrail logs for IAM-related events
for event in response['Events']:
# Implement your logic to analyze the event data
pass
- Implement least privilege access:
- Use the
boto3
library in Python to retrieve a list of IAM roles and their associated policies. - For each role, analyze the policies to identify any overly permissive permissions.
- Modify the policies to enforce least privilege access by removing unnecessary permissions.
- Use the
import boto3
def enforce_least_privilege():
iam_client = boto3.client('iam')
roles = iam_client.list_roles()['Roles']
for role in roles:
role_name = role['RoleName']
role_policies = iam_client.list_role_policies(RoleName=role_name)['PolicyNames']
for policy_name in role_policies:
policy = iam_client.get_role_policy(RoleName=role_name, PolicyName=policy_name)
policy_document = policy['PolicyDocument']
# Implement your logic to analyze the policy document and remove unnecessary permissions
pass
# Use the put_role_policy method to update the modified policy
# iam_client.put_role_policy(RoleName=role_name, PolicyName=policy_name, PolicyDocument=new_policy_document)
Please note that the provided code snippets are just examples and may require customization based on your specific requirements and environment.