Updated on 2024-12-10 GMT+08:00

Key Rotation Check

Rule Details

Table 1 Rule details

Parameter

Description

Rule Name

access-keys-rotated

Identifier

access-keys-rotated

Description

If an IAM user's access key has not been rotated within the specified number of days, this user is noncompliant.

Tag

iam

Trigger Type

Periodic

Filter Type

iam.users

Configure Rule Parameters

maxAccessKeyAge: the maximum number of days that the AK/SK is allowed to remain unchanged. The default value is 90.

Applicable Scenario

Access keys (AK/SK) are commonly used for API access in an enterprise. Rotating access keys regularly can help to reduce security threats, such as key leakage.

Solution

You can create two keys to use them alternately and periodically create a new key to rotate out the old one. For more details, see Periodically Change Your Identity Credentials.

Rule Logic

  • If an IAM user does not have an access key, the IAM user is compliant.
  • If an IAM user is disabled, the IAM user is compliant.
  • If an IAM user is in the enabled state, and its access key has been rotated within the specified period, this user is compliant.
  • If an IAM user is in the enabled state, but its access key has not been rotated within the specified period, this user is noncompliant.