ASSOCIATED DRATA CONTROL
This test is part of the Credentials Rotation control (DCF-783) that ensures your company has implemented processes to change credentials (secrets, access keys, API keys, etc.) periodically based on a defined schedule.
Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.
Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an old key which might have been lost, cracked, or stolen.
WHAT TO DO IF A TEST FAILS
Drata validates that AWS IAM access keys have a 'key age' of less than 90 days. If it appears that there are AWS IAM access keys older than 90 days, then your test will fail.
STEPS TO REMEDIATE
Go to the AWS Management Console.
Click on Users > Security Credentials.
Delete, or make inactive, the keys that have not been rotated in 90 days.
Click on 'Create Access Key'.
Update programmatic call with the new Access Key credentials.
Center for Internet Security (CIS)
This test aligns with the Center for Internet Security’s (CIS) foundation benchmarks which provides prescriptive guidance for establishing a secure baseline configuration for Amazon Web Services. To learn more, refer to the Center for Internet Security (CIS) section.