This test is part of the Credentials Rotation control (DCF-783) that ensures your company has implemented processes to change credentials (secrets, access keys, API keys, etc.) periodically based on a defined schedule.

Access keys consist of an access key ID and secret access key, which are used to sign
programmatic requests that you make to AWS. AWS users need their own access keys
to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI),
Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for
individual AWS services. It is recommended that all access keys be regularly rotated.
​
Rotating access keys will reduce the window of opportunity for an access key that is
associated with a compromised or terminated account to be used.
Access keys should be rotated to ensure that data cannot be accessed with an old key
which might have been lost, cracked, or stolen.

Drata validates that AWS IAM access keys have a 'key age' of less than 90 days. If it appears that there are AWS IAM access keys older than 90 days, then your test will fail.

STEPS TO REMEDIATE

This test aligns with the Center for Internet Security’s (CIS) foundation benchmarks which provides prescriptive guidance for establishing a secure baseline configuration for Amazon Web Services. To learn more, refer to the Center for Internet Security (CIS) section.