DeleteSigningCertificate
Event Information
- The DeleteSigningCertificate event in AWS for IAM refers to the action of deleting a signing certificate associated with an IAM user.
- This event indicates that a user’s signing certificate, which is used for digital signing of API requests, has been removed from their IAM account.
- The DeleteSigningCertificate event can be useful for monitoring and auditing purposes, as it allows tracking of changes made to the signing certificates of IAM users.
Examples
-
Unauthorized deletion of a signing certificate: If an attacker gains access to an IAM user’s credentials and performs the DeleteSigningCertificate action, they can remove a valid signing certificate associated with the user. This can compromise the user’s identity and potentially grant unauthorized access to resources.
-
Removal of a trusted certificate: If a signing certificate used for trusted communication between services or systems is accidentally or maliciously deleted using the DeleteSigningCertificate action, it can disrupt the secure communication flow and potentially lead to service outages or data breaches.
-
Impact on certificate-based authentication: If a signing certificate used for certificate-based authentication is deleted using the DeleteSigningCertificate action, it can prevent users or services from authenticating themselves using the certificate. This can result in denied access to resources and disruption of normal operations.
Remediation
Using Console
-
Example 1: Enforce strong password policy for IAM users
- Step 1: Login to the AWS Management Console.
- Step 2: Go to the IAM service.
- Step 3: Click on “Account settings” in the left navigation pane.
- Step 4: Under the “Password policy” section, click on “Edit”.
- Step 5: Enable the “Require at least one uppercase letter” option.
- Step 6: Enable the “Require at least one lowercase letter” option.
- Step 7: Enable the “Require at least one number” option.
- Step 8: Enable the “Require at least one non-alphanumeric character” option.
- Step 9: Set the “Minimum password length” to an appropriate value.
- Step 10: Click on “Apply password policy”.
-
Example 2: Enable multi-factor authentication (MFA) for IAM users
- Step 1: Login to the AWS Management Console.
- Step 2: Go to the IAM service.
- Step 3: Click on “Users” in the left navigation pane.
- Step 4: Select the IAM user for which you want to enable MFA.
- Step 5: Click on the “Security credentials” tab.
- Step 6: Under the “Multi-factor authentication (MFA)” section, click on “Manage”.
- Step 7: Click on “Activate MFA”.
- Step 8: Choose the appropriate MFA device option (e.g., virtual MFA device, hardware MFA device).
- Step 9: Follow the on-screen instructions to set up the MFA device.
- Step 10: Click on “Assign MFA”.
-
Example 3: Enable AWS CloudTrail for logging IAM events
- Step 1: Login to the AWS Management Console.
- Step 2: Go to the CloudTrail service.
- Step 3: Click on “Trails” in the left navigation pane.
- Step 4: Click on “Create trail”.
- Step 5: Provide a name for the trail and choose the appropriate settings (e.g., log file validation, S3 bucket for storing logs).
- Step 6: Under the “Management events” section, enable logging for IAM events.
- Step 7: Click on “Create”.
- Step 8: Once the trail is created, go to the IAM service.
- Step 9: Click on “Policies” in the left navigation pane.
- Step 10: Create a new IAM policy that allows the necessary CloudTrail actions and attach it to the IAM users or groups that require access to CloudTrail logs.
Using CLI
- Ensure IAM users have strong passwords:
- Use the
update-login-profile
command to enforce a strong password policy for IAM users:
- Enable multi-factor authentication (MFA) for IAM users:
- Use the
enable-mfa-device
command to enable MFA for an IAM user:
- Rotate access keys regularly:
- Use the
create-access-key
command to generate a new access key for an IAM user: - Use the
delete-access-key
command to delete the old access key:
Using Python
- Ensure IAM users have strong passwords:
- Use the
boto3
library in Python to retrieve a list of IAM users. - For each user, check if their password is strong by validating it against a set of password complexity rules.
- If a user’s password is weak, use the
update_login_profile
method to force a password reset for that user.
- Use the
- Enable multi-factor authentication (MFA) for IAM users:
- Use the
boto3
library in Python to retrieve a list of IAM users. - For each user, check if MFA is enabled by calling the
list_mfa_devices
method. - If MFA is not enabled, use the
enable_mfa
method to enable it for the user.
- Use the
- Remove unused IAM access keys:
- Use the
boto3
library in Python to retrieve a list of IAM users. - For each user, check if they have any access keys by calling the
list_access_keys
method. - If the user has unused access keys, use the
delete_access_key
method to remove them.
- Use the