Key Rotation Check
Rule Details
Parameter |
Description |
---|---|
Rule Name |
access-keys-rotated |
Identifier |
access-keys-rotated |
Description |
If an IAM user's access key has not been rotated within the specified number of days, this user is noncompliant. |
Tag |
iam |
Trigger Type |
Periodic |
Filter Type |
iam.users |
Configure Rule Parameters |
maxAccessKeyAge: the maximum number of days that the AK/SK is allowed to remain unchanged. The default value is 90. |
Applicable Scenario
Access keys (AK/SK) are commonly used for API access in an enterprise. Rotating access keys regularly can help to reduce security threats, such as key leakage.
Solution
You can create two keys to use them alternately and periodically create a new key to rotate out the old one. For more details, see Periodically Change Your Identity Credentials.
Rule Logic
- If an IAM user does not have an access key, the IAM user is compliant.
- If an IAM user is disabled, the IAM user is compliant.
- If an IAM user is in the enabled state, and its access key has been rotated within the specified period, this user is compliant.
- If an IAM user is in the enabled state, but its access key has not been rotated within the specified period, this user is noncompliant.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot